<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>Feature Policy</title>
<style data-fill-with="stylesheet">/******************************************************************************
 *                   Style sheet for the W3C specifications                   *
 *
 * Special classes handled by this style sheet include:
 *
 * Indices
 *   - .toc for the Table of Contents (<ol class="toc">)
 *     + <span class="secno"> for the section numbers
 *   - #toc for the Table of Contents (<nav id="toc">)
 *   - ul.index for Indices (<a href="#ref">term</a><span>, in §N.M</span>)
 *   - table.index for Index Tables (e.g. for properties or elements)
 *
 * Structural Markup
 *   - table.data for general data tables
 *     -> use 'scope' attribute, <colgroup>, <thead>, and <tbody> for best results !
 *     -> use <table class='complex data'> for extra-complex tables
 *     -> use <td class='long'> for paragraph-length cell content
 *     -> use <td class='pre'> when manual line breaks/indentation would help readability
 *   - dl.switch for switch statements
 *   - ol.algorithm for algorithms (helps to visualize nesting)
 *   - .figure and .caption (HTML4) and figure and figcaption (HTML5)
 *     -> .sidefigure for right-floated figures
 *   - ins/del
 *
 * Code
 *   - pre and code
 *
 * Special Sections
 *   - .note       for informative notes             (div, p, span, aside, details)
 *   - .example    for informative examples          (div, p, pre, span)
 *   - .issue      for issues                        (div, p, span)
 *   - .assertion  for assertions                    (div, p, span)
 *   - .advisement for loud normative statements     (div, p, strong)
 *   - .annoying-warning for spec obsoletion notices (div, aside, details)
 *
 * Definition Boxes
 *   - pre.def   for WebIDL definitions
 *   - table.def for tables that define other entities (e.g. CSS properties)
 *   - dl.def    for definition lists that define other entitles (e.g. HTML elements)
 *
 * Numbering
 *   - .secno for section numbers in .toc and headings (<span class='secno'>3.2</span>)
 *   - .marker for source-inserted example/figure/issue numbers (<span class='marker'>Issue 4</span>)
 *   - ::before styled for CSS-generated issue/example/figure numbers:
 *     -> Documents wishing to use this only need to add
 *        figcaption::before,
 *        .caption::before { content: "Figure "  counter(figure) " ";  }
 *        .example::before { content: "Example " counter(example) " "; }
 *        .issue::before   { content: "Issue "   counter(issue) " ";   }
 *
 * Header Stuff (ignore, just don't conflict with these classes)
 *   - .head for the header
 *   - .copyright for the copyright
 *
 * Miscellaneous
 *   - .overlarge for things that should be as wide as possible, even if
 *     that overflows the body text area. This can be used on an item or
 *     on its container, depending on the effect desired.
 *     Note that this styling basically doesn't help at all when printing,
 *     since A4 paper isn't much wider than the max-width here.
 *     It's better to design things to fit into a narrower measure if possible.
 *   - js-added ToC jump links (see fixup.js)
 *
 ******************************************************************************/

/******************************************************************************/
/*                                   Body                                     */
/******************************************************************************/

	body {
		counter-reset: example figure issue;

		/* Layout */
		max-width: 50em;               /* limit line length to 50em for readability   */
		margin: 0 auto;                /* center text within page                     */
		padding: 1.6em 1.5em 2em 50px; /* assume 16px font size for downlevel clients */
		padding: 1.6em 1.5em 2em calc(26px + 1.5em); /* leave space for status flag     */

		/* Typography */
		line-height: 1.5;
		font-family: sans-serif;
		widows: 2;
		orphans: 2;
		word-wrap: break-word;
		overflow-wrap: break-word;
		hyphens: auto;

		/* Colors */
		color: black;
		background: white top left fixed no-repeat;
		background-size: 25px auto;
	}


/******************************************************************************/
/*                         Front Matter & Navigation                          */
/******************************************************************************/

/** Header ********************************************************************/

	div.head { margin-bottom: 1em }
	div.head hr { border-style: solid; }

	div.head h1 {
		font-weight: bold;
		margin: 0 0 .1em;
		font-size: 220%;
	}

	div.head h2 { margin-bottom: 1.5em;}

/** W3C Logo ******************************************************************/

	.head .logo {
		float: right;
		margin: 0.4rem 0 0.2rem .4rem;
	}

	.head img[src*="logos/W3C"] {
		display: block;
		border: solid #1a5e9a;
		border-width: .65rem .7rem .6rem;
		border-radius: .4rem;
		background: #1a5e9a;
		color: white;
		font-weight: bold;
	}

	.head a:hover > img[src*="logos/W3C"],
	.head a:focus > img[src*="logos/W3C"] {
		opacity: .8;
	}

	.head a:active > img[src*="logos/W3C"] {
		background: #c00;
		border-color: #c00;
	}

	/* see also additional rules in Link Styling section */

/** Copyright *****************************************************************/

	p.copyright,
	p.copyright small { font-size: small }

/** Back to Top / ToC Toggle **************************************************/

	@media print {
		#toc-nav {
			display: none;
		}
	}
	@media not print {
		#toc-nav {
			position: fixed;
			z-index: 2;
			bottom: 0; left: 0;
			margin: 0;
			min-width: 1.33em;
			border-top-right-radius: 2rem;
			box-shadow: 0 0 2px;
			font-size: 1.5em;
			color: black;
		}
		#toc-nav > a {
			display: block;
			white-space: nowrap;

			height: 1.33em;
			padding: .1em 0.3em;
			margin: 0;

			background: white;
			box-shadow: 0 0 2px;
			border: none;
			border-top-right-radius: 1.33em;
			background: white;
		}
		#toc-nav > #toc-jump {
			padding-bottom: 2em;
			margin-bottom: -1.9em;
		}

		#toc-nav > a:hover,
		#toc-nav > a:focus {
			background: #f8f8f8;
		}
		#toc-nav > a:not(:hover):not(:focus) {
			color: #707070;
		}

		/* statusbar gets in the way on keyboard focus; remove once browsers fix */
		#toc-nav > a[href="#toc"]:not(:hover):focus:last-child {
			padding-bottom: 1.5rem;
		}

		#toc-nav:not(:hover) > a:not(:focus) > span + span {
			/* Ideally this uses :focus-within on #toc-nav */
			display: none;
		}
		#toc-nav > a > span + span {
			padding-right: 0.2em;
		}

		#toc-toggle-inline {
			vertical-align: 0.05em;
			font-size: 80%;
			color: gray;
			color: hsla(203,20%,40%,.7);
			border-style: none;
			background: transparent;
			position: relative;
		}
		#toc-toggle-inline:hover:not(:active),
		#toc-toggle-inline:focus:not(:active) {
			text-shadow: 1px 1px silver;
			top: -1px;
			left: -1px;
		}

		#toc-nav :active {
			color: #C00;
		}
	}

/** ToC Sidebar ***************************************************************/

	/* Floating sidebar */
	@media screen {
		body.toc-sidebar #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			max-width: 80%;
			max-width: calc(100% - 2em - 26px);
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body.toc-sidebar #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}
		body.toc-sidebar #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	/* Hide main scroller when only the ToC is visible anyway */
	@media screen and (max-width: 28em) {
		body.toc-sidebar {
			overflow: hidden;
		}
	}

	/* Sidebar with its own space */
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body:not(.toc-inline) #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}

		body:not(.toc-inline) {
			padding-left: 29em;
		}
		/* See also Overflow section at the bottom */

		body:not(.toc-inline) #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) {
			margin: 0 4em;
		}
	}

/******************************************************************************/
/*                                Sectioning                                  */
/******************************************************************************/

/** Headings ******************************************************************/

	h1, h2, h3, h4, h5, h6, dt {
		page-break-after: avoid;
		page-break-inside: avoid;
		font: 100% sans-serif;   /* Reset all font styling to clear out UA styles */
		font-family: inherit;    /* Inherit the font family. */
		line-height: 1.2;        /* Keep wrapped headings compact */
		hyphens: manual;         /* Hyphenated headings look weird */
	}

	h2, h3, h4, h5, h6 {
		margin-top: 3rem;
	}

	h1, h2, h3 {
		color: #005A9C;
		background: transparent;
	}

	h1 { font-size: 170%; }
	h2 { font-size: 140%; }
	h3 { font-size: 120%; }
	h4 { font-weight: bold; }
	h5 { font-style: italic; }
	h6 { font-variant: small-caps; }
	dt { font-weight: bold; }

/** Subheadings ***************************************************************/

	h1 + h2,
	#subtitle {
		/* #subtitle is a subtitle in an H2 under the H1 */
		margin-top: 0;
	}
	h2 + h3,
	h3 + h4,
	h4 + h5,
	h5 + h6 {
		margin-top: 1.2em; /* = 1 x line-height */
	}

/** Section divider ***********************************************************/

	:not(.head) > hr {
		font-size: 1.5em;
		text-align: center;
		margin: 1em auto;
		height: auto;
		border: transparent solid 0;
		background: transparent;
	}
	:not(.head) > hr::before {
		content: "\2727\2003\2003\2727\2003\2003\2727";
	}

/******************************************************************************/
/*                            Paragraphs and Lists                            */
/******************************************************************************/

	p {
		margin: 1em 0;
	}

	dd > p:first-child,
	li > p:first-child {
		margin-top: 0;
	}

	ul, ol {
		margin-left: 0;
		padding-left: 2em;
	}

	li {
		margin: 0.25em 0 0.5em;
		padding: 0;
	}

	dl dd {
		margin: 0 0 .5em 2em;
	}

	.head dd + dd { /* compact for header */
		margin-top: -.5em;
	}

	/* Style for algorithms */
	ol.algorithm ol:not(.algorithm),
	.algorithm > ol ol:not(.algorithm) {
	 border-left: 0.5em solid #DEF;
	}

	/* Put nice boxes around each algorithm. */
	[data-algorithm]:not(.heading) {
	  padding: .5em;
	  border: thin solid #ddd; border-radius: .5em;
	  margin: .5em calc(-0.5em - 1px);
	}
	[data-algorithm]:not(.heading) > :first-child {
	  margin-top: 0;
	}
	[data-algorithm]:not(.heading) > :last-child {
	  margin-bottom: 0;
	}

	/* Style for switch/case <dl>s */
	dl.switch > dd > ol.only,
	dl.switch > dd > .only > ol {
	 margin-left: 0;
	}
	dl.switch > dd > ol.algorithm,
	dl.switch > dd > .algorithm > ol {
	 margin-left: -2em;
	}
	dl.switch {
	 padding-left: 2em;
	}
	dl.switch > dt {
	 text-indent: -1.5em;
	 margin-top: 1em;
	}
	dl.switch > dt + dt {
	 margin-top: 0;
	}
	dl.switch > dt::before {
	 content: '\21AA';
	 padding: 0 0.5em 0 0;
	 display: inline-block;
	 width: 1em;
	 text-align: right;
	 line-height: 0.5em;
	}

/** Terminology Markup ********************************************************/


/******************************************************************************/
/*                                 Inline Markup                              */
/******************************************************************************/

/** Terminology Markup ********************************************************/
	dfn   { /* Defining instance */
		font-weight: bolder;
	}
	a > i { /* Instance of term */
		font-style: normal;
	}
	dt dfn code, code.idl {
		font-size: medium;
	}
	dfn var {
		font-style: normal;
	}

/** Change Marking ************************************************************/

	del { color: red;  text-decoration: line-through; }
	ins { color: #080; text-decoration: underline;    }

/** Miscellaneous improvements to inline formatting ***************************/

	sup {
		vertical-align: super;
		font-size: 80%
	}

/******************************************************************************/
/*                                    Code                                    */
/******************************************************************************/

/** General monospace/pre rules ***********************************************/

	pre, code, samp {
		font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;
		font-size: .9em;
		page-break-inside: avoid;
		hyphens: none;
		text-transform: none;
	}
	pre code,
	code code {
		font-size: 100%;
	}

	pre {
		margin-top: 1em;
		margin-bottom: 1em;
		overflow: auto;
	}

/** Inline Code fragments *****************************************************/

  /* Do something nice. */

/******************************************************************************/
/*                                    Links                                   */
/******************************************************************************/

/** General Hyperlinks ********************************************************/

	/* We hyperlink a lot, so make it less intrusive */
	a[href] {
		color: #034575;
		text-decoration: none;
		border-bottom: 1px solid #707070;
		/* Need a bit of extending for it to look okay */
		padding: 0 1px 0;
		margin: 0 -1px 0;
	}
	a:visited {
		border-bottom-color: #BBB;
	}

	/* Use distinguishing colors when user is interacting with the link */
	a[href]:focus,
	a[href]:hover {
		background: #f8f8f8;
		background: rgba(75%, 75%, 75%, .25);
		border-bottom-width: 3px;
		margin-bottom: -2px;
	}
	a[href]:active {
		color: #C00;
		border-color: #C00;
	}

	/* Backout above styling for W3C logo */
	.head .logo,
	.head .logo a {
		border: none;
		text-decoration: none;
		background: transparent;
	}

/******************************************************************************/
/*                                    Images                                  */
/******************************************************************************/

	img {
		border-style: none;
	}

	/* For autogen numbers, add
	   .caption::before, figcaption::before { content: "Figure " counter(figure) ". "; }
	*/

	figure, .figure, .sidefigure {
		page-break-inside: avoid;
		text-align: center;
		margin: 2.5em 0;
	}
	.figure img,    .sidefigure img,    figure img,
	.figure object, .sidefigure object, figure object {
		max-width: 100%;
		margin: auto;
	}
	.figure pre, .sidefigure pre, figure pre {
		text-align: left;
		display: table;
		margin: 1em auto;
	}
	.figure table, figure table {
		margin: auto;
	}
	@media screen and (min-width: 20em) {
		.sidefigure {
			float: right;
			width: 50%;
			margin: 0 0 0.5em 0.5em
		}
	}
	.caption, figcaption, caption {
		font-style: italic;
		font-size: 90%;
	}
	.caption::before, figcaption::before, figcaption > .marker {
		font-weight: bold;
	}
	.caption, figcaption {
		counter-increment: figure;
	}

	/* DL list is indented 2em, but figure inside it is not */
	dd > .figure, dd > figure { margin-left: -2em }

/******************************************************************************/
/*                             Colored Boxes                                  */
/******************************************************************************/

	.issue, .note, .example, .assertion, .advisement, blockquote {
		padding: .5em;
		border: .5em;
		border-left-style: solid;
		page-break-inside: avoid;
	}
	span.issue, span.note {
		padding: .1em .5em .15em;
		border-right-style: solid;
	}

	.issue,
	.note,
	.example,
	.advisement,
	.assertion,
	blockquote {
		margin: 1em auto;
	}
	.note  > p:first-child,
	.issue > p:first-child,
	blockquote > :first-child {
		margin-top: 0;
	}
	blockquote > :last-child {
		margin-bottom: 0;
	}

/** Blockquotes ***************************************************************/

	blockquote {
		border-color: silver;
	}

/** Open issue ****************************************************************/

	.issue {
		border-color: #E05252;
		background: #FBE9E9;
		counter-increment: issue;
		overflow: auto;
	}
	.issue::before, .issue > .marker {
		text-transform: uppercase;
		color: #AE1E1E;
		padding-right: 1em;
		text-transform: uppercase;
	}
	/* Add .issue::before { content: "Issue " counter(issue) " "; } for autogen numbers,
	   or use class="marker" to mark up the issue number in source. */

/** Example *******************************************************************/

	.example {
		border-color: #E0CB52;
		background: #FCFAEE;
		counter-increment: example;
		overflow: auto;
		clear: both;
	}
	.example::before, .example > .marker {
		text-transform: uppercase;
		color: #827017;
		min-width: 7.5em;
		display: block;
	}
	/* Add .example::before { content: "Example " counter(example) " "; } for autogen numbers,
	   or use class="marker" to mark up the example number in source. */

/** Non-normative Note ********************************************************/

	.note {
		border-color: #52E052;
		background: #E9FBE9;
		overflow: auto;
	}

	.note::before, .note > .marker,
	details.note > summary::before,
	details.note > summary > .marker {
		text-transform: uppercase;
		display: block;
		color: hsl(120, 70%, 30%);
	}
	/* Add .note::before { content: "Note"; } for autogen label,
	   or use class="marker" to mark up the label in source. */

	details.note > summary {
		display: block;
		color: hsl(120, 70%, 30%);
	}
	details.note[open] > summary {
		border-bottom: 1px silver solid;
	}

/** Assertion Box *************************************************************/
	/*  for assertions in algorithms */

	.assertion {
		border-color: #AAA;
		background: #EEE;
	}

/** Advisement Box ************************************************************/
	/*  for attention-grabbing normative statements */

	.advisement {
		border-color: orange;
		border-style: none solid;
		background: #FFEECC;
	}
	strong.advisement {
		display: block;
		text-align: center;
	}
	.advisement > .marker {
		color: #B35F00;
	}

/** Spec Obsoletion Notice ****************************************************/
	/* obnoxious obsoletion notice for older/abandoned specs. */

	details {
		display: block;
	}
	summary {
		font-weight: bolder;
	}

	.annoying-warning:not(details),
	details.annoying-warning:not([open]) > summary,
	details.annoying-warning[open] {
		background: #fdd;
		color: red;
		font-weight: bold;
		padding: .75em 1em;
		border: thick red;
		border-style: solid;
		border-radius: 1em;
	}
	.annoying-warning :last-child {
		margin-bottom: 0;
	}

@media not print {
	details.annoying-warning[open] {
		position: fixed;
		left: 1em;
		right: 1em;
		bottom: 1em;
		z-index: 1000;
	}
}

	details.annoying-warning:not([open]) > summary {
		text-align: center;
	}

/** Entity Definition Boxes ***************************************************/

	.def {
		padding: .5em 1em;
		background: #DEF;
		margin: 1.2em 0;
		border-left: 0.5em solid #8CCBF2;
	}

/******************************************************************************/
/*                                    Tables                                  */
/******************************************************************************/

	th, td {
		text-align: left;
		text-align: start;
	}

/** Property/Descriptor Definition Tables *************************************/

	table.def {
		/* inherits .def box styling, see above */
		width: 100%;
		border-spacing: 0;
	}

	table.def td,
	table.def th {
		padding: 0.5em;
		vertical-align: baseline;
		border-bottom: 1px solid #bbd7e9;
	}

	table.def > tbody > tr:last-child th,
	table.def > tbody > tr:last-child td {
		border-bottom: 0;
	}

	table.def th {
		font-style: italic;
		font-weight: normal;
		padding-left: 1em;
		width: 3em;
	}

	/* For when values are extra-complex and need formatting for readability */
	table td.pre {
		white-space: pre-wrap;
	}

	/* A footnote at the bottom of a def table */
	table.def           td.footnote {
		padding-top: 0.6em;
	}
	table.def           td.footnote::before {
		content: " ";
		display: block;
		height: 0.6em;
		width: 4em;
		border-top: thin solid;
	}

/** Data tables (and properly marked-up index tables) *************************/
	/*
		 <table class="data"> highlights structural relationships in a table
		 when correct markup is used (e.g. thead/tbody, th vs. td, scope attribute)

		 Use class="complex data" for particularly complicated tables --
		 (This will draw more lines: busier, but clearer.)

		 Use class="long" on table cells with paragraph-like contents
		 (This will adjust text alignment accordingly.)
		 Alternately use class="longlastcol" on tables, to have the last column assume "long".
	*/

	table {
		word-wrap: normal;
		overflow-wrap: normal;
		hyphens: manual;
	}

	table.data,
	table.index {
		margin: 1em auto;
		border-collapse: collapse;
		border: hidden;
		width: 100%;
	}
	table.data caption,
	table.index caption {
		max-width: 50em;
		margin: 0 auto 1em;
	}

	table.data td,  table.data th,
	table.index td, table.index th {
		padding: 0.5em 1em;
		border-width: 1px;
		border-color: silver;
		border-top-style: solid;
	}

	table.data thead td:empty {
		padding: 0;
		border: 0;
	}

	table.data  thead,
	table.index thead,
	table.data  tbody,
	table.index tbody {
		border-bottom: 2px solid;
	}

	table.data colgroup,
	table.index colgroup {
		border-left: 2px solid;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		border-right: 2px solid;
		border-top: 1px solid silver;
		padding-right: 1em;
	}

	table.data th[colspan],
	table.data td[colspan] {
		text-align: center;
	}

	table.complex.data th,
	table.complex.data td {
		border: 1px solid silver;
		text-align: center;
	}

	table.data.longlastcol td:last-child,
	table.data td.long {
	 vertical-align: baseline;
	 text-align: left;
	}

	table.data img {
		vertical-align: middle;
	}


/*
Alternate table alignment rules

	table.data,
	table.index {
		text-align: center;
	}

	table.data  thead th[scope="row"],
	table.index thead th[scope="row"] {
		text-align: right;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		text-align: right;
	}

Possible extra rowspan handling

	table.data  tbody th[rowspan]:not([rowspan='1']),
	table.index tbody th[rowspan]:not([rowspan='1']),
	table.data  tbody td[rowspan]:not([rowspan='1']),
	table.index tbody td[rowspan]:not([rowspan='1']) {
		border-left: 1px solid silver;
	}

	table.data  tbody th[rowspan]:first-child,
	table.index tbody th[rowspan]:first-child,
	table.data  tbody td[rowspan]:first-child,
	table.index tbody td[rowspan]:first-child{
		border-left: 0;
		border-right: 1px solid silver;
	}
*/

/******************************************************************************/
/*                                  Indices                                   */
/******************************************************************************/


/** Table of Contents *********************************************************/

	.toc a {
		/* More spacing; use padding to make it part of the click target. */
		padding-top: 0.1rem;
		/* Larger, more consistently-sized click target */
		display: block;
		/* Reverse color scheme */
		color: black;
		border-color: #3980B5;
		border-bottom-width: 3px !important;
		margin-bottom: 0px !important;
	}
	.toc a:visited {
		border-color: #054572;
	}
	.toc a:not(:focus):not(:hover) {
		/* Allow colors to cascade through from link styling */
		border-bottom-color: transparent;
	}

	.toc, .toc ol, .toc ul, .toc li {
		list-style: none; /* Numbers must be inlined into source */
		/* because generated content isn't search/selectable and markers can't do multilevel yet */
		margin:  0;
		padding: 0;
		line-height: 1.1rem; /* consistent spacing */
	}

	/* ToC not indented until third level, but font style & margins show hierarchy */
	.toc > li             { font-weight: bold;   }
	.toc > li li          { font-weight: normal; }
	.toc > li li li       { font-size:   95%;    }
	.toc > li li li li    { font-size:   90%;    }
	.toc > li li li li .secno { font-size: 85%; }
	.toc > li li li li li { font-size:   85%;    }
	.toc > li li li li li .secno { font-size: 100%; }

	/* @supports not (display:grid) { */
		.toc > li             { margin: 1.5rem 0;    }
		.toc > li li          { margin: 0.3rem 0;    }
		.toc > li li li       { margin-left: 2rem;   }

		/* Section numbers in a column of their own */
		.toc .secno {
			float: left;
			width: 4rem;
			white-space: nowrap;
		}

		.toc li {
			clear: both;
		}

		:not(li) > .toc              { margin-left:  5rem; }
		.toc .secno                  { margin-left: -5rem; }
		.toc > li li li .secno       { margin-left: -7rem; }
		.toc > li li li li .secno    { margin-left: -9rem; }
		.toc > li li li li li .secno { margin-left: -11rem; }

		/* Tighten up indentation in narrow ToCs */
		@media (max-width: 30em) {
			:not(li) > .toc              { margin-left:  4rem; }
			.toc .secno                  { margin-left: -4rem; }
			.toc > li li li              { margin-left:  1rem; }
			.toc > li li li .secno       { margin-left: -5rem; }
			.toc > li li li li .secno    { margin-left: -6rem; }
			.toc > li li li li li .secno { margin-left: -7rem; }
		}
	/* } */

	@supports (display:grid) and (display:contents) {
		/* Use #toc over .toc to override non-@supports rules. */
		#toc {
			display: grid;
			align-content: start;
			grid-template-columns: auto 1fr;
			grid-column-gap: 1rem;
			column-gap: 1rem;
			grid-row-gap: .6rem;
			row-gap: .6rem;
		}
		#toc h2 {
			grid-column: 1 / -1;
			margin-bottom: 0;
		}
		#toc ol,
		#toc li,
		#toc a {
			display: contents;
			/* Switch <a> to subgrid when supported */
		}
		#toc span {
			margin: 0;
		}
		#toc > .toc > li > a > span {
			/* The spans of the top-level list,
			   comprising the first items of each top-level section. */
			margin-top: 1.1rem;
		}
		#toc#toc .secno { /* Ugh, need more specificity to override base.css */
			grid-column: 1;
			width: auto;
			margin-left: 0;
		}
		#toc .content {
			grid-column: 2;
			width: auto;
			margin-right: 1rem;
		}
		#toc .content:hover {
			background: rgba(75%, 75%, 75%, .25);
			border-bottom: 3px solid #054572;
			margin-bottom: -3px;
		}
		#toc li li li .content {
			margin-left: 1rem;
		}
		#toc li li li li .content {
			margin-left: 2rem;
		}
	}


/** Index *********************************************************************/

	/* Index Lists: Layout */
	ul.index       { margin-left: 0; columns: 15em; text-indent: 1em hanging; }
	ul.index li    { margin-left: 0; list-style: none; break-inside: avoid; }
	ul.index li li { margin-left: 1em }
	ul.index dl    { margin-top: 0; }
	ul.index dt    { margin: .2em 0 .2em 20px;}
	ul.index dd    { margin: .2em 0 .2em 40px;}
	/* Index Lists: Typography */
	ul.index ul,
	ul.index dl { font-size: smaller; }
	@media not print {
		ul.index li span {
			white-space: nowrap;
			color: transparent; }
		ul.index li a:hover + span,
		ul.index li a:focus + span {
			color: #707070;
		}
	}

/** Index Tables *****************************************************/
	/* See also the data table styling section, which this effectively subclasses */

	table.index {
		font-size: small;
		border-collapse: collapse;
		border-spacing: 0;
		text-align: left;
		margin: 1em 0;
	}

	table.index td,
	table.index th {
		padding: 0.4em;
	}

	table.index tr:hover td:not([rowspan]),
	table.index tr:hover th:not([rowspan]) {
		background: #f7f8f9;
	}

	/* The link in the first column in the property table (formerly a TD) */
	table.index th:first-child a {
		font-weight: bold;
	}

/******************************************************************************/
/*                                    Print                                   */
/******************************************************************************/

	@media print {
		/* Pages have their own margins. */
		html {
			margin: 0;
		}
		/* Serif for print. */
		body {
			font-family: serif;
		}
	}
	@page {
		margin: 1.5cm 1.1cm;
	}

/******************************************************************************/
/*                                    Legacy                                  */
/******************************************************************************/

	/* This rule is inherited from past style sheets. No idea what it's for. */
	.hide { display: none }



/******************************************************************************/
/*                             Overflow Control                               */
/******************************************************************************/

	.figure .caption, .sidefigure .caption, figcaption {
		/* in case figure is overlarge, limit caption to 50em */
		max-width: 50rem;
		margin-left: auto;
		margin-right: auto;
	}
	.overlarge {
		/* Magic to create good table positioning:
		   "content column" is 50ems wide at max; less on smaller screens.
		   Extra space (after ToC + content) is empty on the right.

		   1. When table < content column, centers table in column.
		   2. When content < table < available, left-aligns.
		   3. When table > available, fills available + scroll bar.
		*/ 
		display: grid;
		grid-template-columns: minmax(0, 50em);
	}
	.overlarge > table {
		/* limit preferred width of table */
		max-width: 50em;
		margin-left: auto;
		margin-right: auto;
	}

	@media (min-width: 55em) {
		.overlarge {
			margin-right: calc(13px + 26.5rem - 50vw);
			max-width: none;
		}
	}
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) .overlarge {
			/* 30.5em body padding 50em content area */
			margin-right: calc(40em - 50vw) !important;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) .overlarge {
			/* 4em html margin 30.5em body padding 50em content area */
			margin-right: calc(84.5em - 100vw) !important;
		}
	}

	@media not print {
		.overlarge {
			overflow-x: auto;
			/* See Lea Verou's explanation background-attachment:
			 * http://lea.verou.me/2012/04/background-attachment-local/
			 *
			background: top left  / 4em 100% linear-gradient(to right,  #ffffff, rgba(255, 255, 255, 0)) local,
			            top right / 4em 100% linear-gradient(to left, #ffffff, rgba(255, 255, 255, 0)) local,
			            top left  / 1em 100% linear-gradient(to right,  #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            top right / 1em 100% linear-gradient(to left, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            white;
			background-repeat: no-repeat;
			*/
		}
	}
</style>
  <link href="https://w3c.github.io/webappsec-feature-policy/" rel="canonical">
<style>
  .unstable::before {
    content: "This section is not stable.";
    float: right;
    color: red;
  }
  .unstable {
    background-image: url("data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' width='300' height='290'><text transform='rotate(-45)' text-anchor='middle' font-family='sans-serif' font-weight='bold' font-size='70' y='210' opacity='.1'>Unstable</text></svg>");
    background-repeat: repeat
  }

 .unstable.example:not(.no-marker)::before {
     content: "Example " counter(example) " (Unstable)";
     float: none;
 }
</style>
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-selflinks */

.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: gray;
    color: white;
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: black;
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: #005a9c;
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
<style>/* style-dfn-panel */

.dfn-panel {
    position: absolute;
    z-index: 35;
    height: auto;
    width: -webkit-fit-content;
    width: fit-content;
    max-width: 300px;
    max-height: 500px;
    overflow: auto;
    padding: 0.5em 0.75em;
    font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
    background: #DDDDDD;
    color: black;
    border: outset 0.2em;
}
.dfn-panel:not(.on) { display: none; }
.dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
.dfn-panel > b { display: block; }
.dfn-panel a { color: black; }
.dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
.dfn-panel > b + b { margin-top: 0.25em; }
.dfn-panel ul { padding: 0; }
.dfn-panel li { list-style: inside; }
.dfn-panel.activated {
    display: inline-block;
    position: fixed;
    left: .5em;
    bottom: 2em;
    margin: 0 auto;
    max-width: calc(100vw - 1.5em - .4em - .5em);
    max-height: 30vh;
}

.dfn-paneled { cursor: pointer; }
</style>
<style>/* style-syntax-highlighting */
pre.idl.highlight { color: #708090; }
.highlight:not(.idl) { background: hsl(24, 20%, 95%); }
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
c-[a] { color: #990055 } /* Keyword.Declaration */
c-[b] { color: #990055 } /* Keyword.Type */
c-[c] { color: #708090 } /* Comment */
c-[d] { color: #708090 } /* Comment.Multiline */
c-[e] { color: #0077aa } /* Name.Attribute */
c-[f] { color: #669900 } /* Name.Tag */
c-[g] { color: #222222 } /* Name.Variable */
c-[k] { color: #990055 } /* Keyword */
c-[l] { color: #000000 } /* Literal */
c-[m] { color: #000000 } /* Literal.Number */
c-[n] { color: #0077aa } /* Name */
c-[o] { color: #999999 } /* Operator */
c-[p] { color: #999999 } /* Punctuation */
c-[s] { color: #a67f59 } /* Literal.String */
c-[t] { color: #a67f59 } /* Literal.String.Single */
c-[u] { color: #a67f59 } /* Literal.String.Double */
c-[cp] { color: #708090 } /* Comment.Preproc */
c-[c1] { color: #708090 } /* Comment.Single */
c-[cs] { color: #708090 } /* Comment.Special */
c-[kc] { color: #990055 } /* Keyword.Constant */
c-[kn] { color: #990055 } /* Keyword.Namespace */
c-[kp] { color: #990055 } /* Keyword.Pseudo */
c-[kr] { color: #990055 } /* Keyword.Reserved */
c-[ld] { color: #000000 } /* Literal.Date */
c-[nc] { color: #0077aa } /* Name.Class */
c-[no] { color: #0077aa } /* Name.Constant */
c-[nd] { color: #0077aa } /* Name.Decorator */
c-[ni] { color: #0077aa } /* Name.Entity */
c-[ne] { color: #0077aa } /* Name.Exception */
c-[nf] { color: #0077aa } /* Name.Function */
c-[nl] { color: #0077aa } /* Name.Label */
c-[nn] { color: #0077aa } /* Name.Namespace */
c-[py] { color: #0077aa } /* Name.Property */
c-[ow] { color: #999999 } /* Operator.Word */
c-[mb] { color: #000000 } /* Literal.Number.Bin */
c-[mf] { color: #000000 } /* Literal.Number.Float */
c-[mh] { color: #000000 } /* Literal.Number.Hex */
c-[mi] { color: #000000 } /* Literal.Number.Integer */
c-[mo] { color: #000000 } /* Literal.Number.Oct */
c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
c-[sc] { color: #a67f59 } /* Literal.String.Char */
c-[sd] { color: #a67f59 } /* Literal.String.Doc */
c-[se] { color: #a67f59 } /* Literal.String.Escape */
c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
c-[si] { color: #a67f59 } /* Literal.String.Interpol */
c-[sx] { color: #a67f59 } /* Literal.String.Other */
c-[sr] { color: #a67f59 } /* Literal.String.Regex */
c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
c-[vc] { color: #0077aa } /* Name.Variable.Class */
c-[vg] { color: #0077aa } /* Name.Variable.Global */
c-[vi] { color: #0077aa } /* Name.Variable.Instance */
c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1 class="p-name no-ref" id="title">Feature Policy</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="1970-01-01">1 January 1970</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://w3c.github.io/webappsec-feature-policy/">https://w3c.github.io/webappsec-feature-policy/</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bfeature-policy%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[feature-policy] <i data-lt>… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:iclelland@google.com">Ian Clelland</a> (<span class="p-org org">Google</span>)
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 1970 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="https://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <div class="p-summary" data-fill-with="abstract">
   <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
   <p>This specification defines a mechanism that allows developers to selectively enable and disable use of various browser features and APIs.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> This is a public copy of the editors’ draft.
	It is provided for discussion only and may change at any moment.
	Its publication here does not imply endorsement of its contents by W3C.
	Don’t cite this document other than as work in progress. </p>
   <p> <strong>Changes to this document may be tracked at <a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong> </p>
   <p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bfeature-policy%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “feature-policy” in the subject,
	preferably like this:
	“[feature-policy] <em>…summary of comment…</em>” </p>
   <p> This document was produced by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
   <p> This document was produced by a group operating under
	the <a href="https://www.w3.org/Consortium/Patent-Policy/">W3C Patent Policy</a>.
	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2019/Process-20190301/" id="w3c_process_revision">1 March 2019 W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li><a href="#introduction"><span class="secno">1</span> <span class="content">Introduction</span></a>
    <li><a href="#examples"><span class="secno">2</span> <span class="content">Examples</span></a>
    <li><a href="#other-and-related-mechanisms"><span class="secno">3</span> <span class="content">Other and related mechanisms</span></a>
    <li>
     <a href="#framwork"><span class="secno">4</span> <span class="content">Framework</span></a>
     <ol class="toc">
      <li><a href="#features"><span class="secno">4.1</span> <span class="content">Policy-controlled Features</span></a>
      <li><a href="#policies"><span class="secno">4.2</span> <span class="content">Policies</span></a>
      <li><a href="#inherited-policies"><span class="secno">4.3</span> <span class="content">Inherited policies</span></a>
      <li><a href="#declared-policies"><span class="secno">4.4</span> <span class="content">Declared policies</span></a>
      <li><a href="#header-policies"><span class="secno">4.5</span> <span class="content">Header policies</span></a>
      <li><a href="#container-policies"><span class="secno">4.6</span> <span class="content">Container policies</span></a>
      <li><a href="#policy-directives"><span class="secno">4.7</span> <span class="content">Policy directives</span></a>
      <li><a href="#allowlists"><span class="secno">4.8</span> <span class="content">Allowlists</span></a>
      <li><a href="#default-allowlists"><span class="secno">4.9</span> <span class="content">Default Allowlists</span></a>
     </ol>
    <li>
     <a href="#serialization"><span class="secno">5</span> <span class="content">Feature Policy Serialization</span></a>
     <ol class="toc">
      <li><a href="#ascii-serialization"><span class="secno">5.1</span> <span class="content">ASCII serialization</span></a>
     </ol>
    <li>
     <a href="#delivery"><span class="secno">6</span> <span class="content">Delivery</span></a>
     <ol class="toc">
      <li><a href="#feature-policy-http-header-field"><span class="secno">6.1</span> <span class="content">Feature-Policy HTTP Header
    Field</span></a>
      <li><a href="#iframe-allow-attribute"><span class="secno">6.2</span> <span class="content">The <code>allow</code> attribute of the <code>iframe</code> element</span></a>
      <li>
       <a href="#legacy-attributes"><span class="secno">6.3</span> <span class="content">Additional attributes to support legacy
    features</span></a>
       <ol class="toc">
        <li><a href="#iframe-allowfullscreen-attribute"><span class="secno">6.3.1</span> <span class="content">allowfullscreen</span></a>
        <li><a href="#iframe-allowpaymentrequest-attribute"><span class="secno">6.3.2</span> <span class="content">allowpaymentrequest</span></a>
       </ol>
     </ol>
    <li>
     <a href="#introspection"><span class="secno">7</span> <span class="content">Policy Introspection from Scripts</span></a>
     <ol class="toc">
      <li>
       <a href="#introspection-overview"><span class="secno">7.1</span> <span class="content">Overview</span></a>
       <ol class="toc">
        <li><a href="#document-policies"><span class="secno">7.1.1</span> <span class="content">Document policies</span></a>
        <li><a href="#frame-policies"><span class="secno">7.1.2</span> <span class="content">Frame policies</span></a>
       </ol>
      <li><a href="#the-policy-object"><span class="secno">7.2</span> <span class="content">The featurePolicy object</span></a>
     </ol>
    <li><a href="#reporting"><span class="secno">8</span> <span class="content">Reporting</span></a>
    <li>
     <a href="#algorithms"><span class="secno">9</span> <span class="content">Algorithms</span></a>
     <ol class="toc">
      <li><a href="#algo-process-response-policy"><span class="secno">9.1</span> <span class="content"><span>Process response
    policy</span></span></a>
      <li><a href="#algo-parse-header"><span class="secno">9.2</span> <span class="content"><span>Parse header from <var>value</var> and <var>origin</var></span></span></a>
      <li><a href="#algo-parse-policy-directive"><span class="secno">9.3</span> <span class="content"><span>Parse policy directive</span></span></a>
      <li><a href="#algo-merge-directive-with-declared-policy"><span class="secno">9.4</span> <span class="content"><span>Merge directive with
    declared policy</span></span></a>
      <li><a href="#algo-process-feature-policy-attributes"><span class="secno">9.5</span> <span class="content"><span>Process feature policy
    attributes</span></span></a>
      <li><a href="#algo-create-for-browsingcontext"><span class="secno">9.6</span> <span class="content"><span>Create a
    Feature Policy for a browsing <var>context</var></span></span></a>
      <li><a href="#algo-create-from-response"><span class="secno">9.7</span> <span class="content"><span>Create a Feature
    Policy for a browsing <var>context</var> from <var>response</var></span></span></a>
      <li><a href="#algo-define-inherited-policy"><span class="secno">9.8</span> <span class="content"><span>Define an inherited policy for <var>feature</var> in <span>browsing context</span></span></span></a>
      <li><a href="#algo-define-inherited-policy-in-container"><span class="secno">9.9</span> <span class="content"><span>Define an inherited
    policy for <var>feature</var> in <var>container</var> at <var>origin</var></span></span></a>
      <li><a href="#algo-is-feature-enabled"><span class="secno">9.10</span> <span class="content"><span>Is <var>feature</var> enabled in <var>document</var> for <var>origin</var>?</span></span></a>
      <li><a href="#algo-report-feature-policy-violation"><span class="secno">9.11</span> <span class="content"><span>Generate report for violation of <var>feature</var> policy on <var>settings</var></span></span></a>
      <li><a href="#algo-should-request-be-allowed-to-use-feature"><span class="secno">9.12</span> <span class="content"><span>Should <var>request</var> be allowed to use <var>feature</var>?</span></span></a>
     </ol>
    <li><a href="#iana-considerations"><span class="secno">10</span> <span class="content">IANA Considerations</span></a>
    <li>
     <a href="#privacy-and-security"><span class="secno">11</span> <span class="content">Privacy and Security</span></a>
     <ol class="toc">
      <li><a href="#privacy-expose-behavior"><span class="secno">11.1</span> <span class="content">Exposure of cross-origin behavior</span></a>
      <li><a href="#privacy-alter-behavior"><span class="secno">11.2</span> <span class="content">Unanticipated behavior changes</span></a>
      <li><a href="#privacy-expose-policy"><span class="secno">11.3</span> <span class="content">Exposure of embedding policy</span></a>
     </ol>
    <li>
     <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ol>
  </nav>
  <main>
   <section>
    <h2 class="heading settled" data-level="1" id="introduction"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#introduction"></a></h2>
    <p>The web platform provides an ever-expanding set of features and APIs,
  offering richer functionality, better developer ergonomics, and improved
  performance. However, a missing piece is the ability for the developer to
  selectively enable, disable, or modify the behavior of some of these browser
  features and APIs within their application:</p>
    <ol>
     <li>The developer may want to selectively <em>disable</em> access to certain
    browser features and APIs to "lock down" their application, as a security
    or performance precaution, to prevent own and third-party content executing
    within their application from introducing unwanted or unexpected behaviors
    within their application.
     <li>The developer may want to selectively <em>enable</em> access to certain
    browser features and APIs which may be disabled by default - e.g. some
    features may be disabled by default in embedded context unless explicitly
    enabled; some features may be subject to other policy requirements.
     <li>The developer may want to use the policy to assert a promise to a
    client or an embedder about the use—or lack of thereof—of certain features
    and APIs. For example, to enable certain types of "fast path" optimizations
    in the browser, or to assert a promise about conformance with some
    requirements set by other embedders - e.g. various social networks, search
    engines, and so on.
    </ol>
    <p>This specification defines a feature policy mechanism that addresses the
  above use cases.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="2" id="examples"><span class="secno">2. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h2>
    <div class="example" id="example-7234b046">
     <a class="self-link" href="#example-7234b046"></a> 
     <p>SecureCorp Inc. wants to disable use of Fullscreen and Geolocation APIs
    within their application. It can do so by delivering the following HTTP
    response header to define a feature policy:</p>
<pre><a data-link-type="http-header" href="#feature-policy-header" id="ref-for-feature-policy-header">Feature-Policy</a>: fullscreen 'none'; geolocation 'none'</pre>
     <p>By specifying the "<code>'none'</code>"keyword for the origin list, the
    specified features will be disabled for all browsing contexts, regardless of
    their origin.</p>
    </div>
    <div class="example" id="example-0976fd18">
     <a class="self-link" href="#example-0976fd18"></a> 
     <p>SecureCorp Inc. wants to disable use of Geolocation API within all
    browsing contexts except for its own origin and those whose origin is
    "<code>https://example.com</code>". It can do so by delivering the
    following HTTP response header to define a feature policy:</p>
<pre><a data-link-type="http-header" href="#feature-policy-header" id="ref-for-feature-policy-header①">Feature-Policy</a>: geolocation 'self' https://example.com</pre>
     <p>The <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist">allowlist</a> is a list of one or more origins, which can include
    the application’s origin, optionally with the keyword "<code>'self'</code>",
    and any third-party origin.</p>
    </div>
    <div class="example" id="example-652f9c6b">
     <a class="self-link" href="#example-652f9c6b"></a> 
     <p>SecureCorp Inc. is hosting an application on
    "<code>https://example.com</code>" and wants to disable camera and
    microphone input on its own origin but enable it for a specific embedee
    ("<code>https://other.com</code>"). It can do so by delivering the
    following HTTP response header to define a feature policy:</p>
<pre><a data-link-type="http-header" href="#feature-policy-header" id="ref-for-feature-policy-header②">Feature-Policy</a>: camera https://other.com; microphone https://other.com</pre>
     <p>Some features are disabled by default in embedded contexts. The policy
    allows the application to selectively enable such features for specified
    origins.</p>
    </div>
    <div class="example" id="example-1db1f085">
     <a class="self-link" href="#example-1db1f085"></a> 
     <p>Geolocation is disabled by default in all cross-origin frames. FastCorp
    Inc. has a specific cross-origin iframe on their site for which it wants to
    enable geolocation. It can do so by including an "<code>allow</code>"
    attribute on the iframe element:</p>
<pre>&lt;iframe src="https://other.com/map" <a href="#iframe-allow-attribute">allow</a>="geolocation">&lt;/iframe></pre>
     <p>Iframe attributes can selectively enable features in certain frames, and
    not in others, even if those contain documents from the same origin.</p>
    </div>
   </section>
   <section>
    <h2 class="heading settled" data-level="3" id="other-and-related-mechanisms"><span class="secno">3. </span><span class="content">Other and related mechanisms</span><a class="self-link" href="#other-and-related-mechanisms"></a></h2>
    <p><a data-link-type="biblio" href="#biblio-html5">[HTML5]</a> defines a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox">sandbox</a></code> attribute for <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code> elements
  that allows developers to reduce the risk of including potentially untrusted
  content by imposing restrictions on content’s abilities - e.g. prevent it
  from submitting forms, running scripts and plugins, and more. The <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#sandbox" id="ref-for-sandbox">sandbox</a> directive defined by <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a> extends this capability to any
  resource, framed or not, to ask for the same set of restrictions - e.g. via an
  HTTP response header (<code>Content-Security-Policy: sandbox</code>). These
  mechanisms enable the developer to:</p>
    <ul>
     <li>Set and customize a sandbox policy on any resource via CSP.
     <li>Set and customize individual sandbox policies on each <code>iframe</code> element within their application.
    </ul>
    <p>However, there are several limitations to the above mechanism: the
  developer cannot automatically apply a policy across all contexts, which
  makes it hard or impossible to enforce consistently in some cases (e.g. due
  to third-party content injecting frames, which the developer does not
  control); there is no mechanism to selectively enable features that may be
  off by default; the sandbox mechanism automatically disables all sandbox
  features, and requires the developer to opt back in to each of them, so it is
  impossible to extend the set of sandbox features without significant
  compatibility risk.</p>
    <p>Feature Policy is intended to be used in combination with the sandbox
  mechanism (i.e. it does not duplicate feature controls already covered by
  sandbox), and provides an extensible mechanism that addresses the above
  limitations.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="4" id="framwork"><span class="secno">4. </span><span class="content">Framework</span><a class="self-link" href="#framwork"></a></h2>
    <section>
     <h3 class="heading settled" data-level="4.1" id="features"><span class="secno">4.1. </span><span class="content">Policy-controlled Features</span><a class="self-link" href="#features"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="policy-controlled-feature">policy-controlled feature</dfn> is an
    API or behaviour which can be enabled or disabled in a document by referring
    to it in a <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy">feature policy</a>. </p>
     <div class="note" role="note">For brevity, policy-controlled features will often be
    referred to in this document simply as "Features". Unless otherwise
    indicated, the term "feature" refers to <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature">policy-controlled features</a>.
    Other specifications, defining such features, should use the longer term to
    avoid any ambiguity.</div>
     <div class="issue" id="issue-e7bb8656"><a class="self-link" href="#issue-e7bb8656"></a>This spec currently only deals with features defined in
    Documents. We should figure out how to word this to include the possibility
    of features and feature policies in Workers and Worklets as well.</div>
     <p><a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①">Policy-controlled features</a> are identified by tokens, which are
    character strings used in <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive">policy directives</a>. </p>
     <p>Each <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature②">policy-controlled feature</a> has a <a data-link-type="dfn" href="#default-allowlist" id="ref-for-default-allowlist">default allowlist</a>,
    which defines whether that feature is available in documents in top-level
    browsing contexts, and how access to that feature is inherited in child
    browsing contexts.</p>
     <p>A user agent has a set of <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="supported-features">supported features</dfn>, which is the set
    of <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature③">features</a> which it allows to be
    controlled through policies. User agents are not required to support every <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature④">feature</a>.</p>
     <div class="note" role="note"> The <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature⑤">policy-controlled features</a> themselves are not themselves part
      of this framework. A non-normative list of currently-defined features is
      maintained as a <a href="https://github.com/w3c/webappsec-feature-policy/blob/master/features.md">companion
      document</a> alongside this specification. </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.2" id="policies"><span class="secno">4.2. </span><span class="content">Policies</span><a class="self-link" href="#policies"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="feature-policy">feature policy</dfn> is a struct with the following items:</p>
     <ul>
      <li>An <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy">inherited policy</a>. 
      <li>A <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy">declared policy</a>. 
     </ul>
     <p>An <dfn data-dfn-type="dfn" data-export id="empty-feature-policy">empty feature policy<a class="self-link" href="#empty-feature-policy"></a></dfn> is a <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy①">feature policy</a> that
    has an <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy①">inherited policy</a> which contains "<code>Enabled</code>" for
    every <a data-link-type="dfn" href="#supported-features" id="ref-for-supported-features">supported feature</a>, and a <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy①">declared policy</a> which is an
    empty map.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.3" id="inherited-policies"><span class="secno">4.3. </span><span class="content">Inherited policies</span><a class="self-link" href="#inherited-policies"></a></h3>
     <p>An <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="inherited policy|inherited policies" data-noexport id="inherited-policy">inherited
    policy</dfn> is an ordered map from <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature⑥">features</a> to either
    "<code>Enabled</code>" or "<code>Disabled</code>".</p>
     <p>The <dfn data-dfn-type="dfn" data-export id="inherited-policy-for-a-feature">inherited policy for a feature<a class="self-link" href="#inherited-policy-for-a-feature"></a></dfn> <var>feature</var> is the value in the <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy②">inherited policy</a> whose key is <var>feature</var>.
    After a <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy②">feature policy</a> has been initialized, its <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy③">inherited
    policy</a> will contain a value for each <a data-link-type="dfn" href="#supported-features" id="ref-for-supported-features①">supported feature</a>.</p>
     <div class="note" role="note">
      <p>Each document in a frame tree inherits a set of policies from its parent
    frame, or in the case of the top-level document, from the defined defaults
    for each <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature⑦">policy-controlled feature</a>. This inherited policy determines
    the initial state ("<code>Enabled</code>" or "<code>Disabled</code>") of
    each feature, and whether it can be controlled by a <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy②">declared policy</a> in the document. </p>
      <p>In a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code> in a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" id="ref-for-top-level-browsing-context">top-level browsing context</a>, the inherited
    policy is based on defined defaults for each feature.</p>
      <p>In a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①">Document</a></code> in a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#child-browsing-context" id="ref-for-child-browsing-context">child browsing context</a>, the inherited policy
    is based on the parent document’s feature policy, as well as the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#child-browsing-context" id="ref-for-child-browsing-context①">child
    browsing context</a>'s <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy">container policy</a>. </p>
     </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.4" id="declared-policies"><span class="secno">4.4. </span><span class="content">Declared policies</span><a class="self-link" href="#declared-policies"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="declared policy|declared feature policy" data-noexport id="declared-policy">declared
    policy</dfn> is an ordered map from <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature⑧">features</a> to <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist①">allowlists</a>. </p>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.5" id="header-policies"><span class="secno">4.5. </span><span class="content">Header policies</span><a class="self-link" href="#header-policies"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="header-policy">header policy</dfn> is a list of <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive①">policy directives</a> delivered via an HTTP header with a document. This forms the document’s <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy③">feature policy</a>’s <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy③">declared policy</a>.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.6" id="container-policies"><span class="secno">4.6. </span><span class="content">Container policies</span><a class="self-link" href="#container-policies"></a></h3>
     <p>In addition to the <a data-link-type="dfn" href="#header-policy" id="ref-for-header-policy">header policy</a>, each <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context">nested browsing context</a> has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="container-policy">container policy</dfn>, which is a <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive②">policy directive</a>,
    which may be empty. The <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy①">container policy</a> can set by attributes on the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container">browsing context container</a>.</p>
     <p>The <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy②">container policy</a> for a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context①">nested browsing context</a> influences
    the <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy④">inherited policy</a> of any document loaded into that context.
    (See <a href="#algo-define-inherited-policy">§ 9.8 Define an inherited policy for
    feature in browsing context</a>)</p>
     <div class="note" role="note"> Currently, the <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy③">container policy</a> cannot be set directly, but is
      indirectly set by <code>iframe</code> "<a href="#iframe-allowfullscreen-attribute"><code>allowfullscreen</code></a>",
      "<a href="#iframe-allowpaymentrequest-attribute"><code>allowpaymentrequest</code></a>",
      "and <a href="#iframe-allow-attribute"><code>allow</code></a>" attributes.
      Future revisions to this spec may introduce a mechanism to explicitly
      declare the full <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy④">container policy</a>. </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.7" id="policy-directives"><span class="secno">4.7. </span><span class="content">Policy directives</span><a class="self-link" href="#policy-directives"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="policy directive|policy directives" data-noexport id="policy-directive">policy
    directive</dfn> is an ordered map, mapping <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature⑨">policy-controlled features</a> to corresponding <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist②">allowlists</a> of origins.</p>
     <p>A <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive③">policy directive</a> is represented in HTTP headers and HTML
    attributes as its ASCII serialization.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.8" id="allowlists"><span class="secno">4.8. </span><span class="content">Allowlists</span><a class="self-link" href="#allowlists"></a></h3>
     <p>A feature policy <dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="allowlist|allowlists" id="allowlist">allowlist</dfn> is conceptually a set of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origins</a>. An <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist③">allowlist</a> may be either: </p>
     <ul>
      <li><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="the-special-value">The special value <code>*</code></dfn>, which represents every
      origin, or
      <li>An <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set">ordered set</a> of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①">origins</a>
     </ul>
     <div class="note" role="note"> The keywords <code>'self'</code>, <code>'src'</code>, and <code>'none'</code> can appear in the text representation of allowlists in
      headers and attribute strings. These keywords are always interpreted in
      context during parsing, and only the origins which they refer to are
      stored in the allowlist. The keywords themselves are not part of the
      allowlist. </div>
     <p>To determine whether an <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist④">allowlist</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="matches">matches</dfn> an origin <var>origin</var>, run these steps: </p>
     <ol>
      <li>If the <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist⑤">allowlist</a> is <a data-link-type="dfn" href="#the-special-value" id="ref-for-the-special-value">the special value <code>*</code></a>,
      then return true.
      <li>
       Otherwise, for each <var>item</var> in the <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist⑥">allowlist</a>: 
       <ol>
        <li>If <var>item</var> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain" id="ref-for-same-origin-domain">same origin-domain</a> with <var>origin</var>, then return true.
       </ol>
      <li>return false.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.9" id="default-allowlists"><span class="secno">4.9. </span><span class="content">Default Allowlists</span><a class="self-link" href="#default-allowlists"></a></h3>
     <p>Every <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①⓪">policy-controlled feature</a> has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="default allowlist|default allowlists" id="default-allowlist">default allowlist</dfn>. The <a data-link-type="dfn" href="#default-allowlist" id="ref-for-default-allowlist①">default allowlist</a> determines whether the feature is allowed in a
    document with no declared policy in a top-level browsing context, and also
    whether access to the feature is automatically delegated to documents in
    child browsing contexts.</p>
     <p>The <a data-link-type="dfn" href="#default-allowlist" id="ref-for-default-allowlist②">default allowlist</a> for a <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①①">feature</a> is one of these values:</p>
     <dl>
      <dt><code>*</code>
      <dd>The feature is allowed in documents in top-level browsing contexts by
      default, and when allowed, is allowed by default to documents in child
      browsing contexts.
      <dt><code>'self'</code>
      <dd>The feature is allowed in documents in top-level browsing contexts by
      default, and when allowed, is allowed by default to same-origin domain
      documents in child browsing contexts, but is disallowed by default in
      cross-origin documents in child browsing contexts.
      <dt>'none'
      <dd>The feature is disallowed in documents in top-level browsing contexts
      by default, and is also disallowed by default to documents in child
      browsing contexts.
     </dl>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="5" id="serialization"><span class="secno">5. </span><span class="content">Feature Policy Serialization</span><a class="self-link" href="#serialization"></a></h2>
    <section>
     <h3 class="heading settled" data-level="5.1" id="ascii-serialization"><span class="secno">5.1. </span><span class="content">ASCII serialization</span><a class="self-link" href="#ascii-serialization"></a></h3>
     <p><a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive④">Policy Directives</a> are represented in HTTP headers and in HTML
    attributes as ASCII text.</p>
<pre class="abnf"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="serialized-feature-policy">serialized-feature-policy</dfn> = <a data-link-type="dfn" href="#serialized-policy-directive" id="ref-for-serialized-policy-directive">serialized-policy-directive</a> *(";" <a data-link-type="dfn" href="#serialized-policy-directive" id="ref-for-serialized-policy-directive①">serialized-policy-directive</a>)
<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="serialized-policy-directive">serialized-policy-directive</dfn> = <a data-link-type="dfn" href="#feature-identifier" id="ref-for-feature-identifier">feature-identifier</a> RWS <a data-link-type="dfn" href="#allow-list" id="ref-for-allow-list">allow-list</a>
<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="feature-identifier">feature-identifier</dfn> = 1*( ALPHA / DIGIT / "-")
<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="allow-list">allow-list</dfn> = <a data-link-type="dfn" href="#allow-list-value" id="ref-for-allow-list-value">allow-list-value</a> *(RWS <a data-link-type="dfn" href="#allow-list-value" id="ref-for-allow-list-value①">allow-list-value</a>)
<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="allow-list-value">allow-list-value</dfn> = <a data-link-type="dfn" href="#serialized-origin" id="ref-for-serialized-origin">serialized-origin</a> / "*" / "'self'" / "'src'" / "'none'"
</pre>
     <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="serialized-origin"><code>serialized-origin</code></dfn> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin" id="ref-for-ascii-serialisation-of-an-origin">serialization of an origin</a>. However, the code points U+0027 ('),
    U+0021 (*), U+002C (,) and U+003B (;) MUST NOT appear in the serialization.
    If they are required, they must be percent-encoded as "<code>%27</code>", "<code>%2A</code>",
    "<code>%2C</code>" or "<code>%3B</code>", respectively.</p>
     <div class="note" role="note"> The string "<code>'self'</code>" may be used as an origin in an allowlist.
      When it is used in this way, it will refer to the origin of the document
      which contains the feature policy. </div>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="6" id="delivery"><span class="secno">6. </span><span class="content">Delivery</span><a class="self-link" href="#delivery"></a></h2>
    <section>
     <h3 class="heading settled" data-level="6.1" id="feature-policy-http-header-field"><span class="secno">6.1. </span><span class="content">Feature-Policy HTTP Header
    Field</span><a class="self-link" href="#feature-policy-http-header-field"></a></h3>
     <p>The `<dfn class="dfn-paneled" data-dfn-type="http-header" data-export id="feature-policy-header"><code>Feature-Policy</code></dfn>` HTTP
    header field can be used in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response">response</a> (server to client) to
    communicate the <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy④">feature policy</a> that should be enforced by the
    client.</p>
     <p>The header’s value is the <a href="#ascii-serialization">§ 5.1 ASCII serialization</a> of one or
    more <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive⑤">policy directive</a>s:.</p>
<pre class="abnf">FeaturePolicy = <a data-link-type="dfn" href="#serialized-feature-policy" id="ref-for-serialized-feature-policy">serialized-feature-policy</a> *("," <a data-link-type="dfn" href="#serialized-feature-policy" id="ref-for-serialized-feature-policy①">serialized-feature-policy</a>)
</pre>
    </section>
    <section>
     <h3 class="heading settled" data-level="6.2" id="iframe-allow-attribute"><span class="secno">6.2. </span><span class="content">The <code>allow</code> attribute of the <code>iframe</code> element</span><a class="self-link" href="#iframe-allow-attribute"></a></h3>
     <p><code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code> elements have an "<code>allow</code>" attribute, which
    contains an <a href="#serialized-policy-directive" id="ref-for-serialized-policy-directive②">ASCII-serialized policy
    directive</a>.</p>
     <p>The allowlist for the features named in the attribute may be empty; in
    that case, the default value for the allowlist is <code>'src'</code>, which
    represents the origin of the URL in the iframe’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-src" id="ref-for-attr-iframe-src">src</a></code> attribute. </p>
     <p>When not empty, the "<code>allow</code>" attribute will result in adding
    an <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist⑦">allowlist</a> for each recognized <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①②">feature</a> to the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element②">iframe</a></code> element’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context②">nested browsing context</a>'s <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy⑤">container policy</a>, when it is
    constructed.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="6.3" id="legacy-attributes"><span class="secno">6.3. </span><span class="content">Additional attributes to support legacy
    features</span><a class="self-link" href="#legacy-attributes"></a></h3>
     <p>Some <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①③">features</a> controlled by
    Feature Policy have existing iframe attributes defined. This specification
    redefines these attributes to act as declared policies for the iframe
    element.</p>
     <section>
      <h4 class="heading settled" data-level="6.3.1" id="iframe-allowfullscreen-attribute"><span class="secno">6.3.1. </span><span class="content">allowfullscreen</span><a class="self-link" href="#iframe-allowfullscreen-attribute"></a></h4>
      <p>The "<code>allowfullscreen</code>" iframe attribute controls access to <code class="idl"><a data-link-type="idl" href="https://fullscreen.spec.whatwg.org/#dom-element-requestfullscreen" id="ref-for-dom-element-requestfullscreen">requestFullscreen()</a></code>.</p>
      <p>If the iframe element has an "<code>allow</code>" attribute whose
      value contains the token "<code>fullscreen</code>", then the
      "<code>allowfullscreen</code>" attribute must have no effect.</p>
      <p>Otherwise, the presence of an "<code>allowfullscreen</code>" attribute
      on an iframe will result in adding an <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist⑧">allowlist</a> of <code>*</code> for the "<code>fullscreen</code>" feature to the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code> element’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context③">nested browsing context</a>'s <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy⑥">container policy</a>, when it is
      constructed.</p>
      <div class="note" role="note"> This is different from the behaviour of <code>&lt;iframe
        allow="fullscreen"></code>, and is for compatibility with existing
        uses of <code>allowfullscreen</code>. If <code>allow="fullscreen"</code> and <code>allowfullscreen</code> are
        both present on an iframe element, then the more restrictive allowlist
        of <code>allow="fullscreen"</code> will be used. </div>
     </section>
     <section>
      <h4 class="heading settled" data-level="6.3.2" id="iframe-allowpaymentrequest-attribute"><span class="secno">6.3.2. </span><span class="content">allowpaymentrequest</span><a class="self-link" href="#iframe-allowpaymentrequest-attribute"></a></h4>
      <p>The "<code>allowpaymentrequest</code>" iframe attribute controls
      access to <a data-link-type="dfn" href="https://w3c.github.io/payment-request/#dom-paymentrequest" id="ref-for-dom-paymentrequest">PaymentRequest</a>.</p>
      <p>If the iframe element has an "<code>allow</code>" attribute whose
      value contains the token "<code>payment</code>", then the
      "<code>allowpaymentrequest</code>" attribute must have no effect.</p>
      <p>Otherwise, the presence of an "<code>allowpaymentrequest</code>"
      attribute on an iframe will result in adding an <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist⑨">allowlist</a> of <code>*</code> for the "<code>payment</code>" feature to the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element④">iframe</a></code> element’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context④">nested browsing context</a>'s <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy⑦">container policy</a>, when it
      is constructed.</p>
      <div class="note" role="note"> This is different from the behaviour of <code>&lt;iframe
        allow="payment"></code>, and is for compatibility with existing uses
        of <code>allowpaymentrequest</code>. If <code>allow="payment"</code> and <code>allowpaymentrequest</code> are both present on an iframe
        element, then the more restrictive allowlist of <code>allow="payment"</code> will be used. </div>
     </section>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="7" id="introspection"><span class="secno">7. </span><span class="content">Policy Introspection from Scripts</span><a class="self-link" href="#introspection"></a></h2>
    <section class="non-normative">
     <h3 class="heading settled" data-level="7.1" id="introspection-overview"><span class="secno">7.1. </span><span class="content">Overview</span><a class="self-link" href="#introspection-overview"></a></h3>
     <p>The current policy which is in effect in a document can be observed by
  scripts. This can be used to make decisions, for instance, about what user
  interface to display, in cases where it is not possible to determine otherwise
  whether a feature is enabled or not. (Some features may not have any
  observable failure mode, or may have unwanted side effects to feature
  detection.)</p>
     <p>Documents and iframes both provide a <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy">FeaturePolicy</a></code> object which can be
  used to inspect the feature policies which apply to them.</p>
     <h4 class="heading settled" data-level="7.1.1" id="document-policies"><span class="secno">7.1.1. </span><span class="content">Document policies</span><a class="self-link" href="#document-policies"></a></h4>
     <p>To retreive the currently effective policy, use <code>document.featurePolicy</code>. This returns a <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①">FeaturePolicy</a></code> object, which can be used to: </p>
     <ul>
      <li data-md>
       <p>query the state (allowed or denied) in the current document for a given
  feature,</p>
      <li data-md>
       <p>get a list of all available features (allowed or not) in the current
  document,</p>
      <li data-md>
       <p>get a list of all allowed features in the current document, or</p>
      <li data-md>
       <p>get the allowlist for a given feature in the current document.</p>
     </ul>
     <p></p>
     <div class="example" id="example-75033745">
      <a class="self-link" href="#example-75033745"></a> 
<pre>&lt;!doctype html>
&lt;script>
 const policy = document.featurePolicy;

 // This will be true if this document can use WebUSB.
 const can_use_usb = policy.allowsFeature('usb');

 // True if a new frame at https://example.com will be allowed to use WebVR.
 if (policy.allowsFeature('vr', 'https://example.com')) {
   // Show UI to create frame at https://example.com.
 } else {
   // Show an alternative UI.
 }

 // Get the list of origins which are allowed to request payment. The result
 // will be a list of explicit origins, or the single element ['*'] if all
 // origins are allowed.
 const allowed_payment_origins = policy.getAllowlistForFeature('payment');

 // Get the list of all features supported in this document (even those
 // which are not allowed). The result will be an array of strings, each
 // representing a feature.
 const all_features = policy.features();
 if (all_features.includes('geolocation')) {
   // Append a child frame to a third-party map service.
 }
&lt;/script>
</pre>
     </div>
     <h4 class="heading settled" data-level="7.1.2" id="frame-policies"><span class="secno">7.1.2. </span><span class="content">Frame policies</span><a class="self-link" href="#frame-policies"></a></h4>
     <p>It is also possible to inspect the policy on an iframe element, from the
  document which contains it. The policy object in this case represents the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy">observable policy</a> for the frame, which depends only on the current
  document and the attributes of the iframe element. It does not reveal whether
  a feature is actually currently allowed in the frame, as the document in the
  frame may have applied its own policy via an HTTP header, or may have
  navigated away from its initial location to a new origin. Revealing the
  effective policy in the iframe element’s nested browsing context in that case
  could leak information about the behaviour of a cross-origin document.</p>
     <div class="example" id="example-2621b41f">
      <a class="self-link" href="#example-2621b41f"></a> 
<pre>&lt;!doctype html>
&lt;iframe id="frame" allow="fullscreen; vr">&lt;/iframe>
&lt;script>
 const iframe_element = document.getElementById("frame");
 const iframe_policy = iframe_element.featurePolicy;

 // True if the framed document will be allowed to use WebVR
 if (iframe_policy.allowsFeature('vr')) {
  // display vr controls
 }
&lt;/script>
</pre>
     </div>
     <p>The <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy①">observable policy</a> on an iframe element is independent of any
  actual content loaded into the frame (to avoid cross-origin information
  leakage,) or even whether it is in a document tree.</p>
     <div class="example" id="example-e121f006">
      <a class="self-link" href="#example-e121f006"></a> 
<pre>&lt;!doctype html>
&lt;!-- this frame should not be allowed to use fullscreen when the document
    in its src attribute is loaded in it -->
&lt;iframe id="frame" allow="fullscreen https://example.com" src="https://example.net/" >&lt;/iframe>
&lt;script>
 const iframe_element = document.getElementById("frame");
 const iframe_policy = iframe_element.featurePolicy;
 // This will be false, as the URL listed in the src attribute is not allowed
 // by policy to use fullscreen.
 const is_fullscreen_allowed_in_frame = iframe_policy.allowsFeature('fullscreen');

 const new_frame = document.createElement('iframe');
 new_frame.allow = 'sync-xhr';
 // This will be true, as the iframe is allowed to use sync-xhr at whatever URL is
 // mentioned in its src attribute, even though that attribute is not yet set.
 const is_sync_xhr_allowed = new_frame.featurePolicy.allowsFeature('sync-xhr');
&lt;/script>
</pre>
     </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.2" id="the-policy-object"><span class="secno">7.2. </span><span class="content">The featurePolicy object</span><a class="self-link" href="#the-policy-object"></a></h3>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="featurepolicy"><code><c- g>FeaturePolicy</c-></code></dfn> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean"><c- b>boolean</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="FeaturePolicy" data-dfn-type="method" data-export data-lt="allowsFeature(feature, origin)|allowsFeature(feature)" id="dom-featurepolicy-allowsfeature"><code><c- g>allowsFeature</c-></code></dfn>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString"><c- b>DOMString</c-></a> <dfn class="idl-code" data-dfn-for="FeaturePolicy/allowsFeature(feature, origin), FeaturePolicy/allowsFeature(feature)" data-dfn-type="argument" data-export id="dom-featurepolicy-allowsfeature-feature-origin-feature"><code><c- g>feature</c-></code><a class="self-link" href="#dom-featurepolicy-allowsfeature-feature-origin-feature"></a></dfn>, <c- b>optional</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①"><c- b>DOMString</c-></a> <dfn class="idl-code" data-dfn-for="FeaturePolicy/allowsFeature(feature, origin), FeaturePolicy/allowsFeature(feature)" data-dfn-type="argument" data-export id="dom-featurepolicy-allowsfeature-feature-origin-origin"><code><c- g>origin</c-></code><a class="self-link" href="#dom-featurepolicy-allowsfeature-feature-origin-origin"></a></dfn>);
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②"><c- b>DOMString</c-></a>> <dfn class="dfn-paneled idl-code" data-dfn-for="FeaturePolicy" data-dfn-type="method" data-export data-lt="features()" id="dom-featurepolicy-features"><code><c- g>features</c-></code></dfn>();
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③"><c- b>DOMString</c-></a>> <dfn class="dfn-paneled idl-code" data-dfn-for="FeaturePolicy" data-dfn-type="method" data-export data-lt="allowedFeatures()" id="dom-featurepolicy-allowedfeatures"><code><c- g>allowedFeatures</c-></code></dfn>();
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString④"><c- b>DOMString</c-></a>> <dfn class="dfn-paneled idl-code" data-dfn-for="FeaturePolicy" data-dfn-type="method" data-export data-lt="getAllowlistForFeature(feature)" id="dom-featurepolicy-getallowlistforfeature"><code><c- g>getAllowlistForFeature</c-></code></dfn>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑤"><c- b>DOMString</c-></a> <dfn class="idl-code" data-dfn-for="FeaturePolicy/getAllowlistForFeature(feature)" data-dfn-type="argument" data-export id="dom-featurepolicy-getallowlistforfeature-feature-feature"><code><c- g>feature</c-></code><a class="self-link" href="#dom-featurepolicy-getallowlistforfeature-feature-feature"></a></dfn>);
};

<c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="https://dom.spec.whatwg.org/#document" id="ref-for-document②"><c- g>Document</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="n" data-link-type="idl-name" href="#featurepolicy" id="ref-for-featurepolicy②"><c- n>FeaturePolicy</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="Document" data-dfn-type="attribute" data-export data-readonly data-type="FeaturePolicy" id="dom-document-featurepolicy"><code><c- g>featurePolicy</c-></code></dfn>;
};

<c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement" id="ref-for-htmliframeelement"><c- g>HTMLIFrameElement</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject①"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="n" data-link-type="idl-name" href="#featurepolicy" id="ref-for-featurepolicy③"><c- n>FeaturePolicy</c-></a> <dfn class="dfn-paneled idl-code" data-dfn-for="HTMLIFrameElement" data-dfn-type="attribute" data-export data-readonly data-type="FeaturePolicy" id="dom-htmliframeelement-featurepolicy"><code><c- g>featurePolicy</c-></code></dfn>;
};
</pre>
     <p>A <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy④">FeaturePolicy</a></code> object has an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="associated-node">associated node</dfn>, which is a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#node" id="ref-for-node">Node</a></code>. The <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node">associated node</a> is set when the <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy⑤">FeaturePolicy</a></code> object is created.</p>
     <p>A <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy⑥">FeaturePolicy</a></code> object has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="default-origin">default origin</dfn>, which is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin②">origin</a>, whose value depends on the state of the <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy⑦">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node①">associated node</a>: </p>
     <ul>
      <li data-md>
       <p>If the <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy⑧">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node②">associated node</a> is a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document③">Document</a></code>, then its <a data-link-type="dfn" href="#default-origin" id="ref-for-default-origin">default origin</a> is the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document④">Document</a></code>'s</p>
     </ul>
      <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin③">origin</a>. 
     <ul>
      <li data-md>
       <p>If the <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy⑨">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node③">associated node</a> is an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element">Element</a></code>, then its <a data-link-type="dfn" href="#default-origin" id="ref-for-default-origin①">default origin</a> is the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element①">Element</a></code>'s</p>
     </ul>
      <a data-link-type="dfn" href="#declared-origin" id="ref-for-declared-origin">declared origin</a>. 
     <p>Each <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑤">Document</a></code> has a <dfn class="dfn-paneled" data-dfn-for="Document" data-dfn-type="dfn" data-noexport id="document-policy-object">policy object</dfn>, which is
    a <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①⓪">FeaturePolicy</a></code> instance whose <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node④">associated node</a> is that <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑥">Document</a></code>.</p>
     <p>A <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑦">Document</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-document-featurepolicy" id="ref-for-dom-document-featurepolicy">featurePolicy</a></code> IDL attribute, on getting,
    must return the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑧">Document</a></code>'s <a data-link-type="dfn" href="#document-policy-object" id="ref-for-document-policy-object">policy object</a>.</p>
     <p>Each <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element⑤">iframe</a></code> element has a <dfn class="dfn-paneled" data-dfn-for="iframe" data-dfn-type="dfn" data-noexport id="iframe-policy-object">policy object</dfn>,
    which is a <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①①">FeaturePolicy</a></code> instance whose <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node⑤">associated node</a> is that
    element.</p>
     <p>An <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element⑥">iframe</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-htmliframeelement-featurepolicy" id="ref-for-dom-htmliframeelement-featurepolicy">featurePolicy</a></code> IDL attribute, on
    getting, must return the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element⑦">iframe</a></code>'s <a data-link-type="dfn" href="#iframe-policy-object" id="ref-for-iframe-policy-object">policy object</a>.</p>
     <p>The <code class="idl"><a data-link-type="idl" href="#dom-featurepolicy-allowsfeature" id="ref-for-dom-featurepolicy-allowsfeature">allowsFeature(feature, origin)</a></code> method must run the following
    steps: </p>
     <ol>
      <li data-md>
       <p>If <var>origin</var> is omitted, set <var>origin</var> to this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①②">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#default-origin" id="ref-for-default-origin②">default origin</a>.</p>
      <li data-md>
       <p>Let <var>policy</var> be the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy②">observable policy</a> for this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①③">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node⑥">associated node</a>.</p>
      <li data-md>
       <p>If <var>feature</var> is allowed by <var>policy</var> for <var>origin</var>, return true.</p>
      <li data-md>
       <p>Otherwise, return false.</p>
     </ol>
     <p>The <code class="idl"><a data-link-type="idl" href="#dom-featurepolicy-features" id="ref-for-dom-featurepolicy-features">features()</a></code> method must run the following steps: </p>
     <ol>
      <li data-md>
       <p>Set <var>result</var> to an empty ordered set.</p>
      <li data-md>
       <p>For each <a data-link-type="dfn" href="#supported-features" id="ref-for-supported-features②">supported feature</a> <var>feature</var>:</p>
       <ol>
        <li data-md>
         <p>Append <var>feature</var> to <var>result</var>.</p>
       </ol>
      <li data-md>
       <p>return result</p>
     </ol>
     <p>The <code class="idl"><a data-link-type="idl" href="#dom-featurepolicy-allowedfeatures" id="ref-for-dom-featurepolicy-allowedfeatures">allowedFeatures()</a></code> method must run the following steps: </p>
     <ol>
      <li data-md>
       <p>Set <var>result</var> to an empty ordered set.</p>
      <li data-md>
       <p>Let <var>origin</var> be this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①④">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#default-origin" id="ref-for-default-origin③">default origin</a>.</p>
      <li data-md>
       <p>Let <var>policy</var> be the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy③">observable policy</a> for this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①⑤">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node⑦">associated node</a>.</p>
      <li data-md>
       <p>For each <a data-link-type="dfn" href="#supported-features" id="ref-for-supported-features③">supported feature</a> <var>feature</var>:</p>
       <ol>
        <li data-md>
         <p>If <var>feature</var> is allowed by <var>policy</var> for <var>origin</var>, append <var>feature</var> to <var>result</var>.</p>
       </ol>
      <li data-md>
       <p>return result</p>
     </ol>
     <p>The <code class="idl"><a data-link-type="idl" href="#dom-featurepolicy-getallowlistforfeature" id="ref-for-dom-featurepolicy-getallowlistforfeature">getAllowlistForFeature(feature)</a></code> method must run the following
    steps: </p>
     <ol>
      <li data-md>
       <p>Set <var>result</var> to an empty list</p>
      <li data-md>
       <p>Let <var>origin</var> be this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①⑥">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#default-origin" id="ref-for-default-origin④">default origin</a>.</p>
      <li data-md>
       <p>Let <var>policy</var> be the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy④">observable policy</a> for this <code class="idl"><a data-link-type="idl" href="#featurepolicy" id="ref-for-featurepolicy①⑦">FeaturePolicy</a></code> object’s <a data-link-type="dfn" href="#associated-node" id="ref-for-associated-node⑧">associated node</a>.</p>
      <li data-md>
       <p>If <var>feature</var> is not allowed in <var>policy</var> for <var>origin</var>, return <var>result</var></p>
      <li data-md>
       <p>Let <var>allowlist</var> be <var>policy</var>’s declared policy[<var>feature</var>]</p>
      <li data-md>
       <p>If <var>allowlist</var> is the special value <code>*</code>, append "<code>*</code>" to <var>result</var></p>
      <li data-md>
       <p>Otherwise, for each <var>origin</var> in <var>allowlist</var>:</p>
       <ol>
        <li data-md>
         <p>Append the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin" id="ref-for-ascii-serialisation-of-an-origin①">serialization</a> of <var>origin</var> to <var>result</var></p>
       </ol>
      <li data-md>
       <p>Return <var>result</var>.</p>
     </ol>
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="observable-policy">observable policy</dfn> for any Node is a <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy⑤">feature policy</a>,
    which contains the information about the policy in the browsing context
    represented by that Node which is visible from the current browsing context. </p>
     <p>To get the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy⑤">observable policy</a> for a Document <var>document</var>, return <var>document</var>’s feature policy.</p>
     <p>To get the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy⑥">observable policy</a> for an Element <var>node</var>, run the
    following steps:</p>
     <ol>
      <li data-md>
       <p>Let <var>inherited policy</var> be a new ordered map.</p>
      <li data-md>
       <p>Let <var>declared policy</var> be a new ordered map.</p>
      <li data-md>
       <p>For each <a data-link-type="dfn" href="#supported-features" id="ref-for-supported-features④">supported feature</a> <var>feature</var>:</p>
       <ol>
        <li data-md>
         <p>Let <var>isInherited</var> be the result of running <a data-link-type="dfn" href="#define-an-inherited-policy-for-feature-in-container-at-origin" id="ref-for-define-an-inherited-policy-for-feature-in-container-at-origin">Define an inherited
  policy for feature in container at origin</a> on <var>feature</var>, <var>node</var> and <var>node</var>’s <a data-link-type="dfn" href="#declared-origin" id="ref-for-declared-origin①">declared origin</a>.</p>
        <li data-md>
         <p>Set <var>inherited policy</var>[<var>feature</var>] to <var>isInherited</var>.</p>
       </ol>
      <li data-md>
       <p>Return a new <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy⑥">feature policy</a> with inherited policy <var>inherited policy</var> and declared policy <var>declared policy</var>.</p>
     </ol>
     <p>To get the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="declared-origin">declared origin</dfn> for an Element <var>node</var>, run the
    following steps: </p>
     <ol>
      <li data-md>
       <p>If <var>node</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document">node document</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-origin-browsing-context-flag" id="ref-for-sandboxed-origin-browsing-context-flag">sandboxed origin browsing
  context flag</a> is set, then return a unique opaque origin.</p>
      <li data-md>
       <p>If <var>node</var>’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox①">sandbox</a></code> attribute is set, and does not contain
  the <code>allow-same-origin</code> keyword, then return a unique
  opaque origin.</p>
      <li data-md>
       <p>If <var>node</var>’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-srcdoc" id="ref-for-attr-iframe-srcdoc">srcdoc</a></code> attribute is set, then return <var>node</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document①">node document</a>’s origin.</p>
      <li data-md>
       <p>If <var>node</var>’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-src" id="ref-for-attr-iframe-src①">src</a></code> attribute is set:</p>
       <ol>
        <li data-md>
         <p>Let <var>url</var> be the result of parsing <var>node</var>’s src attribute,
  relative to <var>node</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document②">node document</a>.</p>
        <li data-md>
         <p>If <var>url</var> is not failure, return <var>url</var>’s origin.</p>
       </ol>
      <li data-md>
       <p>Return <var>node</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document③">node document</a>’s origin.</p>
     </ol>
     <p class="note" role="note"> The <a data-link-type="dfn" href="#declared-origin" id="ref-for-declared-origin②">declared origin</a> concept is intended to represent the origin of
      the document which the embedding page intends to load into a frame. This
      means, for instance, that if the browser does not support the <code>sandbox</code> or <code>srcdoc</code> attributes, it should not take
      those attributes into account when computing the declared origin. </p>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="8" id="reporting"><span class="secno">8. </span><span class="content">Reporting</span><a class="self-link" href="#reporting"></a></h2>
    <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="feature-policy-violation-reports">Feature policy violation reports</dfn> indicate that some behavior of
  the <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document" id="ref-for-concept-document">Document</a> has <a data-link-type="dfn" href="#violate" id="ref-for-violate">violated</a> a feature policy. It is up to each
  individual feature policy to define/determine when a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="violate|violation|violated" data-noexport id="violate">violation</dfn> of that policy has
  occurred.</p>
    <p><a data-link-type="dfn" href="#feature-policy-violation-reports" id="ref-for-feature-policy-violation-reports">Feature policy violation reports</a> have the <a data-link-type="dfn" href="https://w3c.github.io/reporting/#report-type" id="ref-for-report-type">report type</a> "feature-policy-violation".</p>
    <p><a data-link-type="dfn" href="#feature-policy-violation-reports" id="ref-for-feature-policy-violation-reports①">Feature policy violation reports</a> are <a data-link-type="dfn" href="https://w3c.github.io/reporting/#visible-to-reportingobservers" id="ref-for-visible-to-reportingobservers">visible to <code>ReportingObserver</code>s</a>. </p>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed①"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export id="featurepolicyviolationreportbody"><code><c- g>FeaturePolicyViolationReportBody</c-></code></dfn> : <a class="n" data-link-type="idl-name" href="https://w3c.github.io/reporting/#reportbody" id="ref-for-reportbody"><c- n>ReportBody</c-></a> {
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑥"><c- b>DOMString</c-></a> <dfn class="idl-code" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="attribute" data-export data-readonly data-type="DOMString" id="dom-featurepolicyviolationreportbody-featureid"><code><c- g>featureId</c-></code><a class="self-link" href="#dom-featurepolicyviolationreportbody-featureid"></a></dfn>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑦"><c- b>DOMString</c-></a>? <dfn class="idl-code" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="attribute" data-export data-readonly data-type="DOMString?" id="dom-featurepolicyviolationreportbody-sourcefile"><code><c- g>sourceFile</c-></code><a class="self-link" href="#dom-featurepolicyviolationreportbody-sourcefile"></a></dfn>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long"><c- b>long</c-></a>? <dfn class="idl-code" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="attribute" data-export data-readonly data-type="long?" id="dom-featurepolicyviolationreportbody-linenumber"><code><c- g>lineNumber</c-></code><a class="self-link" href="#dom-featurepolicyviolationreportbody-linenumber"></a></dfn>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long①"><c- b>long</c-></a>? <dfn class="idl-code" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="attribute" data-export data-readonly data-type="long?" id="dom-featurepolicyviolationreportbody-columnnumber"><code><c- g>columnNumber</c-></code><a class="self-link" href="#dom-featurepolicyviolationreportbody-columnnumber"></a></dfn>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑧"><c- b>DOMString</c-></a> <dfn class="idl-code" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="attribute" data-export data-readonly data-type="DOMString" id="dom-featurepolicyviolationreportbody-disposition"><code><c- g>disposition</c-></code><a class="self-link" href="#dom-featurepolicyviolationreportbody-disposition"></a></dfn>;
};
</pre>
    <p>A <a data-link-type="dfn" href="#feature-policy-violation-reports" id="ref-for-feature-policy-violation-reports②">feature policy violation report</a>’s <a data-link-type="dfn" href="https://w3c.github.io/reporting/#report-body" id="ref-for-report-body">body</a>, represented in
  JavaScript by <code class="idl"><a data-link-type="idl" href="#featurepolicyviolationreportbody" id="ref-for-featurepolicyviolationreportbody">FeaturePolicyViolationReportBody</a></code>, contains the following
  fields:</p>
    <ul>
     <li data-md>
      <p><dfn class="dfn-paneled" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="dfn" data-noexport id="featurepolicyviolationreportbody-featureid">featureId</dfn>: The string
identifying the <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①④">policy-controlled feature</a> whose policy has been <a data-link-type="dfn" href="#violate" id="ref-for-violate①">violated</a>. This string can be used for grouping and counting related
reports.</p>
     <li data-md>
      <p><dfn class="dfn-paneled" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="dfn" data-noexport id="featurepolicyviolationreportbody-sourcefile">sourceFile</dfn>: If known,
the file where the <a data-link-type="dfn" href="#violate" id="ref-for-violate②">violation</a> occured, or null otherwise.</p>
     <li data-md>
      <p><dfn class="dfn-paneled" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="dfn" data-noexport id="featurepolicyviolationreportbody-linenumber">lineNumber</dfn>: If known,
the line number in <a data-link-type="dfn" href="#featurepolicyviolationreportbody-sourcefile" id="ref-for-featurepolicyviolationreportbody-sourcefile">sourceFile</a> where
the <a data-link-type="dfn" href="#violate" id="ref-for-violate③">violation</a> occured, or null otherwise.</p>
     <li data-md>
      <p><dfn class="dfn-paneled" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="dfn" data-noexport id="featurepolicyviolationreportbody-columnnumber">columnNumber</dfn>: If known,
the column number in <a data-link-type="dfn" href="#featurepolicyviolationreportbody-sourcefile" id="ref-for-featurepolicyviolationreportbody-sourcefile①">sourceFile</a> where
the <a data-link-type="dfn" href="#violate" id="ref-for-violate④">violation</a> occured, or null otherwise.</p>
     <li data-md>
      <p><dfn class="dfn-paneled" data-dfn-for="FeaturePolicyViolationReportBody" data-dfn-type="dfn" data-noexport id="featurepolicyviolationreportbody-disposition">disposition</dfn>: A string
indicating whether the <a data-link-type="dfn" href="#violate" id="ref-for-violate⑤">violated</a> feature policy was enforced in this
case. <a data-link-type="dfn" href="#featurepolicyviolationreportbody-disposition" id="ref-for-featurepolicyviolationreportbody-disposition">disposition</a> will be set to
"enforce" if the policy was enforced, or "report" if the <a data-link-type="dfn" href="#violate" id="ref-for-violate⑥">violation</a> resulted only in this report being generated (with no further action taken
by the user agent in response to the violation).</p>
      <p class="note" role="note"><span>Note:</span> There is currently no mechanism in place for enabling report-only
mode, so <a data-link-type="dfn" href="#featurepolicyviolationreportbody-disposition" id="ref-for-featurepolicyviolationreportbody-disposition①">disposition</a> will always be
set to "enforce".</p>
    </ul>
   </section>
   <section>
    <h2 class="heading settled" data-level="9" id="algorithms"><span class="secno">9. </span><span class="content">Algorithms</span><a class="self-link" href="#algorithms"></a></h2>
    <section>
     <h3 class="heading settled" data-level="9.1" id="algo-process-response-policy"><span class="secno">9.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Process response policy" data-noexport id="process-response-policy">Process response
    policy</dfn></span><a class="self-link" href="#algo-process-response-policy"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response①">response</a> (<var>response</var>) and an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin④">origin</a> (<var>origin</var>), this algorithm returns a <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy④">declared feature
    policy</a>.</p>
     <ol>
      <li>Abort these steps if the <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list">header list</a> does not contain a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header" id="ref-for-concept-header">header</a> whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-name" id="ref-for-concept-header-name">name</a> is "<code>Feature-Policy</code>". 
      <li>Let <var>header</var> be the concatenation of the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-value" id="ref-for-concept-header-value">value</a>s of all <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header" id="ref-for-concept-header①">header</a> fields in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list①">header list</a> whose name is
      "<code>Feature-Policy</code>", separated by U+002C (,) (according to
      [RFC7230, 3.2.2]).
      <li>Let <var>feature policy</var> be the result of executing <a data-link-type="dfn" href="#parse-header-from-value-and-origin" id="ref-for-parse-header-from-value-and-origin">Parse
        header from value and origin</a> on <var>header</var> and <var>origin</var>. 
      <li>Return <var>feature policy</var>.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.2" id="algo-parse-header"><span class="secno">9.2. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Parse header from value and origin" data-noexport id="parse-header-from-value-and-origin">Parse header from <var>value</var> and <var>origin</var></dfn></span><a class="self-link" href="#algo-parse-header"></a></h3>
     <p>Given a string (<var>value</var>) and an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑤">origin</a> (<var>origin</var>)
    this algorithm will return a <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy⑤">declared feature policy</a>.</p>
     <ol>
      <li>Let <var>policy</var> be an empty ordered map.
      <li>
       For each <var>element</var> returned by <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#split-on-commas" id="ref-for-split-on-commas">splitting <var>value</var> on commas</a>: 
       <ol>
        <li>Let <var>directive</var> be the result of executing <a href="#algo-parse-policy-directive">§ 9.3 Parse policy directive</a> on <var>element</var> with <var>container origin</var> set to <var>origin</var>. 
        <li>Run <a data-link-type="dfn" href="#merge-directive-with-declared-policy" id="ref-for-merge-directive-with-declared-policy">Merge directive with declared policy</a> on <var> directive</var> and <var>policy</var>. 
       </ol>
      <li>Return <var>policy</var>.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.3" id="algo-parse-policy-directive"><span class="secno">9.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="parse-policy-directive">Parse policy directive</dfn></span><a class="self-link" href="#algo-parse-policy-directive"></a></h3>
     <p>Given a string (<var>value</var>), an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑥">origin</a> (<var>container
    origin</var>), and an optional <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑦">origin</a> (<var>target origin</var>), this
    algorithm returns a <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive⑥">policy directive</a>. </p>
     <ol>
      <li>Let <var>directive</var> be an empty ordered map.
      <li>
       For each <var>serialized-declaration</var> returned by <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#strictly-split" id="ref-for-strictly-split">strictly splitting <var>value</var> on the delimiter
      U+003B (;)</a>: 
       <ol>
        <li>Let <var>tokens</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#split-on-ascii-whitespace" id="ref-for-split-on-ascii-whitespace">splitting <var>serialized-declaration</var> on ASCII whitespace.</a>
        <li>If <var>tokens</var> is an empty list, then continue.
        <li>Let <var>feature-name</var> be the first element of <var>tokens</var>.
        <li>If <var>feature-name</var> does not identify any recognized <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①⑤">policy-controlled feature</a>, then continue.
        <li>Let <var>feature</var> be the <a data-link-type="dfn" href="#policy-controlled-feature" id="ref-for-policy-controlled-feature①⑥">policy-controlled feature</a> identified by <var>feature-name</var>.
        <li>Let <var>targetlist</var> be the remaining elements, if any, of <var>tokens</var>. 
        <li>Let <var>allowlist</var> be a new <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist①⓪">allowlist</a>. 
        <li>If any element of <var>targetlist</var> is the string
          "<code>*</code>", set <var>allowlist</var> to <a data-link-type="dfn" href="#the-special-value" id="ref-for-the-special-value①">the special value <code>*</code></a>.
        <li>
         Otherwise: 
         <ol>
          <li>Set <var>allowlist</var> to an new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set①">ordered set</a>.
          <li>If <var>targetlist</var> is empty and <var>target origin</var> is given, append <var>target origin</var> to <var>allowlist</var>. 
          <li>
           For each <var>element</var> in <var>targetlist</var>: 
           <ol>
            <li>If <var>element</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive">ASCII case-insensitive</a> match for "<code>'self'</code>", let result be <var>container
                  origin</var>.
            <li>If <var>target origin</var> is given, and <var>element</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①">ASCII case-insensitive</a> match
                  for "<code>'src'</code>", let result be <var>target
                  origin</var>.
            <li>Otherwise, let <var>result</var> be the result of
                  executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser" id="ref-for-concept-url-parser">URL parser</a> on <var>element</var>.
            <li>
             If <var>result</var> is not failure: 
             <ol>
              <li>Let <var>target</var> be the origin of <var>result</var>.
              <li>If <var>target</var> is not an opaque origin, append <var>target</var> to <var>allowlist</var>.
             </ol>
           </ol>
         </ol>
        <li>Set <var>directive</var>[<var>feature</var>] to <var>allowlist</var>.
       </ol>
      <li>Return <var>directive</var>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.4" id="algo-merge-directive-with-declared-policy"><span class="secno">9.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Merge directive with declared policy" data-noexport id="merge-directive-with-declared-policy">Merge directive with
    declared policy</dfn></span><a class="self-link" href="#algo-merge-directive-with-declared-policy"></a></h3>
     <p>Given a policy directive (<var>directive</var>) and a declared policy
    (<var>policy</var>), this algorithm will modify <var>policy</var> to
    account for the new directive.</p>
     <ol>
      <li>
       For each <var>feature</var> → <var>allowlist</var> of <var>directive</var>: 
       <ol>
        <li>If <var>policy</var> does not contain an allowlist for <var>feature</var>, then set <var>policy</var>[<var>feature</var>] to <var>allowlist</var>.
       </ol>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.5" id="algo-process-feature-policy-attributes"><span class="secno">9.5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Process feature policy attributes" data-noexport id="process-feature-policy-attributes">Process feature policy
    attributes</dfn></span><a class="self-link" href="#algo-process-feature-policy-attributes"></a></h3>
     <p>Given an element (<var>element</var>), this algorithm returns a <a data-link-type="dfn" href="#container-policy" id="ref-for-container-policy⑧">container policy</a>, which may be empty.</p>
     <ol>
      <li>Let <var>policy</var> be a new <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive⑦">policy directive</a>. 
      <li>Let <var>container policy</var> be the result of running <a data-link-type="dfn" href="#parse-policy-directive" id="ref-for-parse-policy-directive">Parse
      policy directive</a> on the value of <var>element</var>’s <code>allow</code> attribute, with <var>container
        origin</var> set to the origin of <var>element</var>’s node document,
        and <var>target origin</var> set to <var>element</var>’s <a data-link-type="dfn" href="#declared-origin" id="ref-for-declared-origin③">declared
        origin</a>. 
      <li>
       If <var>element</var> is an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element⑧">iframe</a></code> element: 
       <ol>
        <li>
         If <var>element</var>’s <code>allowfullscreen</code> attribute is
          specified, and <var>container policy</var> does not contain an
          allowlist for <code>fullscreen</code>, 
         <ol>
          <li>Construct a new declaration for <code>fullscreen</code>, whose
              allowlist is <a data-link-type="dfn" href="#the-special-value" id="ref-for-the-special-value②">the special value <code>*</code></a>.
          <li>Add <var>declaration</var> to <var>container policy</var>. 
         </ol>
        <li>
         If <var>element</var>’s <code>allowpaymentrequest</code> attribute is specified, and <var>container policy</var> does not
          contain an allowlist for <code>payment</code>, 
         <ol>
          <li>Construct a new declaration for <code>payment</code>, whose
              allowlist is <a data-link-type="dfn" href="#the-special-value" id="ref-for-the-special-value③">the special value <code>*</code></a>.
          <li>Add <var>declaration</var> to <var>container policy</var>. 
         </ol>
       </ol>
      <li>Return <var>container policy</var>.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.6" id="algo-create-for-browsingcontext"><span class="secno">9.6. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="Create a Feature Policy for a browsing context" id="create-for-browsingcontext">Create a
    Feature Policy for a browsing <var>context</var></dfn></span><a class="self-link" href="#algo-create-for-browsingcontext"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context">browsing context</a> (<var>browsingContext</var>), and an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑧">origin</a> (<var>origin</var>) this algorithm returns a new <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy⑦">Feature Policy</a>.</p>
     <ol>
      <li>Let <var>inherited policy</var> be a new ordered map.
      <li>Let <var>declared policy</var> be a new ordered map.
      <li>
       For each <var>feature</var> supported, 
       <ol>
        <li>Let <var>isInherited</var> be the result of running <a href="#define-inherited-policy" id="ref-for-define-inherited-policy">Define an inherited policy for feature in browsing
          context</a> on <var>feature</var>, <var>origin</var> and <var>browsingContext</var>. 
        <li>Set <var>inherited policy</var>[<var>feature</var>] to <var>isInherited</var>.
       </ol>
      <li>Let <var>policy</var> be a new <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy⑧">feature policy</a>, with inherited
      policy <var>inherited policy</var> and declared policy <var>declared
      policy</var>. 
      <li>Return <var>policy</var>.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.7" id="algo-create-from-response"><span class="secno">9.7. </span><span class="content"><dfn data-dfn-type="dfn" data-export data-lt="Create a Feature Policy for a browsing context from response" id="create-from-response">Create a Feature
    Policy for a browsing <var>context</var> from <var>response</var><a class="self-link" href="#create-from-response"></a></dfn></span><a class="self-link" href="#algo-create-from-response"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context①">browsing context</a> (<var>browsingContext</var>), <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin⑨">origin</a> (<var>origin</var>), and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response②">response</a> (<var>response</var>), this algorithm returns a new <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy⑨">Feature Policy</a></p>
     <ol>
      <li>Let <var>policy</var> be the result of running <a data-link-type="dfn" href="#create-for-browsingcontext" id="ref-for-create-for-browsingcontext">Create a Feature Policy for a browsing
      context</a> given <var>browsingContext</var>, and <var>origin</var>.
      <li>Let <var>d</var> be the result of running <a href="#process-response-policy" id="ref-for-process-response-policy">Process response policy</a> on <var>response</var> and <var>origin</var>.
      <li>
       For each <var>feature</var> → <var>allowlist</var> of <var>d</var>: 
       <ol>
        <li>If <var>policy</var>’s <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy⑤">inherited policy</a>[<var>feature</var>] is true, then
          set <var>policy</var>’s <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy⑥">declared policy</a>[<var>feature</var>] to <var>allowlist</var>.
       </ol>
      <li>Return <var>policy</var>.
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.8" id="algo-define-inherited-policy"><span class="secno">9.8. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Define an inherited policy for feature in browsing context" data-noexport id="define-inherited-policy">Define an inherited policy for <var>feature</var> in <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context②">browsing context</a></dfn></span><a class="self-link" href="#algo-define-inherited-policy"></a></h3>
     <p>Given a feature (<var>feature</var>), an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①⓪">origin</a> (<var>origin</var>), and
    a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context③">browsing context</a> (<var>browsingContext</var>), this algorithm returns the <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy⑥">inherited policy</a> for that feature.</p>
     <ol>
      <li>If <var>browsingContext</var> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context⑤">nested browsing context</a> of a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container①">browsing context container</a> <var>element</var>, return the result of
        executing <a data-link-type="dfn" href="#define-an-inherited-policy-for-feature-in-container-at-origin" id="ref-for-define-an-inherited-policy-for-feature-in-container-at-origin①">Define an inherited policy for feature in container at
        origin</a> for <var>feature</var> in <var>browsingContext</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container②">browsing
        context container</a> at <var>origin</var>.
      <li>Otherwise, return "<code>Enabled</code>".
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.9" id="algo-define-inherited-policy-in-container"><span class="secno">9.9. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Define an inherited policy for feature in container at origin" data-noexport id="define-an-inherited-policy-for-feature-in-container-at-origin">Define an inherited
    policy for <var>feature</var> in <var>container</var> at <var>origin</var></dfn></span><a class="self-link" href="#algo-define-inherited-policy-in-container"></a></h3>
     <p>Given a feature (<var>feature</var>) a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container③">browsing context container</a> (<var>container</var>), and an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①①">origin</a> for a document in that
    container (<var>origin</var>), this algorithm returns the <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy⑦">inherited
    policy</a> for that feature.</p>
     <ol>
      <li>Let <var>parent</var> be <var>container</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document④">node
        document</a>.
      <li>Let <var>container policy</var> be the result of running <a data-link-type="dfn" href="#process-feature-policy-attributes" id="ref-for-process-feature-policy-attributes">Process feature policy attributes</a> on <var>container</var>. 
      <li>
       If <var>feature</var> is a key in <var>container policy</var>: 
       <ol>
        <li>If the <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist①①">allowlist</a> for <var>feature</var> in <var>container policy</var> does not <a data-link-type="dfn" href="#matches" id="ref-for-matches">match</a> <var>origin</var>,
          return "<code>Disabled</code>". 
        <li>If <a href="#is-feature-enabled" id="ref-for-is-feature-enabled"><var>feature</var> is enabled in <var>parent</var> for <var>parent</var>’s <var>origin</var></a>,
          return "<code>Enabled</code>". 
       </ol>
      <li>If <a href="#is-feature-enabled" id="ref-for-is-feature-enabled①"><var>feature</var> is
      enabled in <var>parent</var> for <var>origin</var></a>, return
      "<code>Enabled</code>". 
      <li>Otherwise return "<code>Disabled</code>".
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.10" id="algo-is-feature-enabled"><span class="secno">9.10. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Is feature enabled in document for origin?" data-noexport id="is-feature-enabled">Is <var>feature</var> enabled in <var>document</var> for <var>origin</var>?</dfn></span><a class="self-link" href="#algo-is-feature-enabled"></a></h3>
     <p>Given a feature (<var>feature</var>), a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑨">Document</a></code> object
    (<var>document</var>), and an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①②">origin</a> (<var>origin</var>), this algorithm
    returns "<code>Disabled</code>" if <var>feature</var> should be considered
    disabled, and "<code>Enabled</code>" otherwise.</p>
     <ol>
      <li>Let <var>policy</var> be <var>document</var>’s <a data-link-type="dfn" href="#feature-policy" id="ref-for-feature-policy①⓪">Feature Policy</a> 
      <li>If <var>policy</var>’s <a data-link-type="dfn" href="#inherited-policy" id="ref-for-inherited-policy⑧">inherited policy</a> for <var>feature</var> is Disabled, return "<code>Disabled</code>".
      <li>
       If <var>feature</var> is present in <var>policy</var>’s <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy⑦">declared
      policy</a>: 
       <ol>
        <li>If the <a data-link-type="dfn" href="#allowlist" id="ref-for-allowlist①②">allowlist</a> for <var>feature</var> in <var>policy</var>’s <a data-link-type="dfn" href="#declared-policy" id="ref-for-declared-policy⑧">declared policy</a> <a data-link-type="dfn" href="#matches" id="ref-for-matches①">matches</a> <var>origin</var>, then return "<code>Enabled</code>". 
        <li>Otherwise return "<code>Disabled</code>".
       </ol>
      <li>If <var>feature</var>’s <a data-link-type="dfn" href="#default-allowlist" id="ref-for-default-allowlist③">default allowlist</a> is <code>*</code>, return "<code>Enabled</code>". 
      <li>If <var>feature</var>’s <a data-link-type="dfn" href="#default-allowlist" id="ref-for-default-allowlist④">default allowlist</a> is <code>'self'</code>, and <var>origin</var> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin" id="ref-for-same-origin">same origin</a> with <var>document</var>’s origin, return "<code>Enabled</code>". 
      <li>Return "<code>Disabled</code>".
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.11" id="algo-report-feature-policy-violation"><span class="secno">9.11. </span><span class="content"><dfn data-dfn-type="dfn" data-export data-lt="Generate report for violation of feature policy on settings" id="report-feature-policy-violation">Generate report for violation of <var>feature</var> policy on <var>settings</var><a class="self-link" href="#report-feature-policy-violation"></a></dfn></span><a class="self-link" href="#algo-report-feature-policy-violation"></a></h3>
     <p> Given a feature (<var>feature</var>), an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" id="ref-for-environment-settings-object">environment settings object</a> (<var>settings</var>), and an optional string (<var>group</var>), this algorithm generates a <a data-link-type="dfn" href="https://w3c.github.io/reporting/#report" id="ref-for-report">report</a> about the <a data-link-type="dfn" href="#violate" id="ref-for-violate⑦">violation</a> of the policy for <var>feature</var>.</p>
     <ol>
      <li data-md>
       <p>Let <var>body</var> be a new <code class="idl"><a data-link-type="idl" href="#featurepolicyviolationreportbody" id="ref-for-featurepolicyviolationreportbody①">FeaturePolicyViolationReportBody</a></code>, initialized
  as follows:</p>
       <dl>
        <dt data-md><a data-link-type="dfn" href="#featurepolicyviolationreportbody-featureid" id="ref-for-featurepolicyviolationreportbody-featureid">featureId</a>
        <dd data-md>
         <p><var>feature</var>’s string representation.</p>
        <dt data-md><a data-link-type="dfn" href="#featurepolicyviolationreportbody-sourcefile" id="ref-for-featurepolicyviolationreportbody-sourcefile②">sourceFile</a>
        <dd data-md>
         <p>null</p>
        <dt data-md><a data-link-type="dfn" href="#featurepolicyviolationreportbody-linenumber" id="ref-for-featurepolicyviolationreportbody-linenumber">lineNumber</a>
        <dd data-md>
         <p>null</p>
        <dt data-md><a data-link-type="dfn" href="#featurepolicyviolationreportbody-columnnumber" id="ref-for-featurepolicyviolationreportbody-columnnumber">columnNumber</a>
        <dd data-md>
         <p>null</p>
        <dt data-md><a data-link-type="dfn" href="#featurepolicyviolationreportbody-disposition" id="ref-for-featurepolicyviolationreportbody-disposition②">disposition</a>
        <dd data-md>
         <p>"enforce"</p>
       </dl>
      <li data-md>
       <p>If the user agent is currently executing script, and can extract the
  source file’s URL, line number, and column number from <var>settings</var>, then
  set <var>body</var>’s <a data-link-type="dfn" href="#featurepolicyviolationreportbody-sourcefile" id="ref-for-featurepolicyviolationreportbody-sourcefile③">sourceFile</a>, <a data-link-type="dfn" href="#featurepolicyviolationreportbody-linenumber" id="ref-for-featurepolicyviolationreportbody-linenumber①">lineNumber</a>, and <a data-link-type="dfn" href="#featurepolicyviolationreportbody-columnnumber" id="ref-for-featurepolicyviolationreportbody-columnnumber①">columnNumber</a> accordingly.</p>
      <li data-md>
       <p>If <var>group</var> is omitted, set <var>group</var> to "default".</p>
      <li data-md>
       <p>Execute <span spec-section="/#queue-report"></span> with <var>body</var>,
  "feature-policy-violation", <var>group</var>, and <var>settings</var>.</p>
     </ol>
     <p class="note" role="note"><span>Note:</span> This algorithm should be called when a feature policy has
    been <a data-link-type="dfn" href="#violate" id="ref-for-violate⑧">violated</a>.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="9.12" id="algo-should-request-be-allowed-to-use-feature"><span class="secno">9.12. </span><span class="content"><dfn data-dfn-type="dfn" data-export data-lt="Should request be allowed to use feature?" id="should-request-be-allowed-to-use-feature">Should <var>request</var> be allowed to use <var>feature</var>?<a class="self-link" href="#should-request-be-allowed-to-use-feature"></a></dfn></span><a class="self-link" href="#algo-should-request-be-allowed-to-use-feature"></a></h3>
     <p>Given a feature (<var>feature</var>) and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request">request</a> (<var>request</var>), this algorithm returns <code>true</code> if the request should be allowed to use <var>feature</var>, and <code>false</code> otherwise.</p>
     <ol>
      <li>Set <var>window</var> to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-window" id="ref-for-concept-request-window">window</a>.
      <li>
       If <var>window</var> is not a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window">Window</a></code>, return <code>false</code>. 
       <div class="issue" id="issue-79a5ddf0"><a class="self-link" href="#issue-79a5ddf0"></a>Feature Policy within non-Window contexts (<code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope" id="ref-for-workerglobalscope">WorkerGlobalScope</a></code> or <code class="idl"><a data-link-type="idl" href="https://drafts.css-houdini.org/worklets/#workletglobalscope" id="ref-for-workletglobalscope">WorkletGlobalScope</a></code>) is being figured out in <a href="https://github.com/WICG/feature-policy/issues/207">issue #207</a>. After that’s resolved, update this algorithm to allow fetches initiated within these contexts to use policy-controlled features. <em>Until</em> that’s resolved, disallow all policy-controlled features (e.g., sending Client Hints to third parties) in these contexts.</div>
      <li>Set <var>document</var> to <var>window</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window" id="ref-for-concept-document-window">associated <code>Document</code></a>.
      <li>Let <var>origin</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-origin" id="ref-for-concept-request-origin">origin</a>.
      <li>Let <var>result</var> be the result of executing <a href="#is-feature-enabled" id="ref-for-is-feature-enabled②">Is feature enabled in document for
        origin?</a> on <var>feature</var>, <var>document</var>, and <var>origin</var>. 
      <li>If <var>result</var> is "<code>Enabled</code>", return <code>true</code>.
      <li>Otherwise, return <code>false</code>.
     </ol>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="10" id="iana-considerations"><span class="secno">10. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>
    <p>The permanent message header field registry should be updated with the
  following registration <a data-link-type="biblio" href="#biblio-rfc3864">[RFC3864]</a>:</p>
    <dl>
     <dt>Header field name
     <dd>Feature-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd> <a href>Feature Policy API</a> 
    </dl>
   </section>
   <section class="informative" id="privacy">
    <h2 class="heading settled" data-level="11" id="privacy-and-security"><span class="secno">11. </span><span class="content">Privacy and Security</span><a class="self-link" href="#privacy-and-security"></a></h2>
    <p>This specification standardizes a mechanism for an embedding page to set a
  policy which will be enforced on an embedded page. Similar to iframe <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox②">sandbox</a></code>, this can be done without the express permission of the
  embedded page, which means that behaviors of existing features can be changed
  in published web sites, by embedding them in another document with an
  appropriate container policy.</p>
    <p>As such, the biggest privacy and security concerns are:</p>
    <ul>
     <li>Exposure of behavior in a cross-origin subframe to its embedder
     <li>Unanticipated behavior changes in subframes controlled by the
    embedder
    </ul>
    <p>To a degree, these concerns are already present in the web platform, and
  this specification attempts to at least not make them needlessly worse.</p>
    <p>Security and privacy issues may also be caused by the design of individual
  features, so care must be taken when integrating with this specification. This
  section attempts to provide some guidance as to what kinds of behaviors could
  cause such issues.</p>
    <h3 class="heading settled" data-level="11.1" id="privacy-expose-behavior"><span class="secno">11.1. </span><span class="content">Exposure of cross-origin behavior</span><a class="self-link" href="#privacy-expose-behavior"></a></h3>
    <p>Features should be designed such that a <a data-link-type="dfn" href="#violate" id="ref-for-violate⑨">violation</a> of the policy in a
  framed document is not observable by documents in other frames. For instance,
  a hypothetical feature which caused a event to be fired in the embedding
  document if it is used while disabled by policy, could be used to extract
  information about the state of an embedded document. If the feature is known
  only to be used while a user is logged in to the site, for instance, then the
  embedder could disable that feature for the frame, and then listen for the
  resulting events to determine whether or not the user is logged in.</p>
    <p>The introspection API is designed to only show information about a
  subframe’s policy which could already be deduced by the embedding document.
  This <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy⑦">observable policy</a> is not affected by any HTTP headers delivered
  with the framed document, and does not change when the frame navigates itself,
  even if such navigation is to a different origin, where a different policy
  applies. Only navigations caused by setting the <code>src</code> attribute of the <code>&lt;iframe></code> element will cause the <a data-link-type="dfn" href="#observable-policy" id="ref-for-observable-policy⑧">observable policy</a> to be updated.</p>
    <h3 class="heading settled" data-level="11.2" id="privacy-alter-behavior"><span class="secno">11.2. </span><span class="content">Unanticipated behavior changes</span><a class="self-link" href="#privacy-alter-behavior"></a></h3>
    <p>Feature policy grants a document the ability to control which features will
  and will not be availble in a subframe at the time it is loaded. When a
  feature represents an existing, long-standing behavior of the web platform,
  this may mean that existing published content on the web was not written with
  the expectation that a particular API could fail.</p>
    <div class="example" id="example-660fabbf">
     <a class="self-link" href="#example-660fabbf"></a> 
     <p>As a practical (though contrived) example, consider a document which uses
    synchronous XMLHttpRequest to determine whether a user has sufficient
    privileges to access the page:</p>
<pre>&lt;!DOCTYPE html>
&lt;h1>Welcome to SecureCorp!&lt;/h1>
&lt;script>
  var req = new XMLHttpRequest();
  req.open("GET", "/api/security_check.json", false);
  req.send();
  if (req.response == "untrusted user") {
    // User is not logged in; redirect to a safe page
    location.href = "/security_check_failed.html";
  }
&lt;/script>
&lt;!-- Page continues with assumption that user is logged in -->
</pre>
     <p>If this document is embedded by a page which disables the
    "<code>sync-xhr</code>" feature, the call to <code>XMLHttpRequest.open()</code> would
    fail, and the security check would be bypassed.</p>
    </div>
    <p>Note that this sort of behavior forcing is already possible on the web:
  some features are only allowed in top-level documents, and not in any iframes,
  and iframe sandboxing can be used in a similar way to embed a frame without
  access to features which it may be depending on.</p>
    <p>In general, this concern is mitigated in two ways:</p>
    <ul>
     <li>The vulnerable page may be served with an <code>X-Frame-Options</code> HTTP header
    which does not allow it to be framed by an attacker.
     <li>Sites should use feature detection to determine whether an API or
    behavior is available before attempting to use it, and should handle any
    documented errors returned or exceptions thrown by the APIs they call.
    </ul>
    <li>In the case where feature detection is not possible, new web content can
    be written to use the <code>policy</code> object to inspect the feature policy which is
    currently enforced, and adjust behaviour or user interface accordingly.
    <p>Authors integrating their features with Feature Policy can decide when and
  how the feature will fail when a document attempts to use it while it is
  disabled. Authors should attempt to make use of existing failure modes, when
  they exist, to increase the chance that existing content will already be
  correctly handling such failures.</p>
    <h3 class="heading settled" data-level="11.3" id="privacy-expose-policy"><span class="secno">11.3. </span><span class="content">Exposure of embedding policy</span><a class="self-link" href="#privacy-expose-policy"></a></h3>
    <p>Care has been taken to limit the information which an page can infer about
  the behavior of cross-origin pages which it embeds. It may be possible in some
  scenarios however, for the embedded page to infer information about its
  embedder, by examining the policy which the embedder has enforced on it.</p>
    <p>This is similar to the existing <code>document.fullscreenEnabled</code> property,
  which can be used by the embedded document to infer whether its embedder has
  granted it the ability to use the Fullscreen API. If this is only granted in
  certain cases — when the user is logged in to the embedding site, for
  instance — then the embedded site can learn something about the state of
  its embedder.</p>
   </section>
  </main>
  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification. </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
  <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text with <code>class="example"</code>,
    like this: </p>
  <div class="example" id="example-ae2b6bc0">
   <a class="self-link" href="#example-ae2b6bc0"></a> 
   <p>This is an example of an informative example.</p>
  </div>
  <p>Informative notes begin with the word “Note” and are set apart from the
    normative text with <code>class="note"</code>, like this: </p>
  <p class="note" role="note">Note, this is an informative note.</p>
  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#dom-featurepolicy-allowedfeatures">allowedFeatures()</a><span>, in §7.2</span>
   <li><a href="#allowlist">allowlist</a><span>, in §4.8</span>
   <li><a href="#allow-list">allow-list</a><span>, in §5.1</span>
   <li><a href="#allowlist">allowlists</a><span>, in §4.8</span>
   <li><a href="#allow-list-value">allow-list-value</a><span>, in §5.1</span>
   <li><a href="#dom-featurepolicy-allowsfeature">allowsFeature(feature)</a><span>, in §7.2</span>
   <li><a href="#dom-featurepolicy-allowsfeature">allowsFeature(feature, origin)</a><span>, in §7.2</span>
   <li><a href="#associated-node">associated node</a><span>, in §7.2</span>
   <li>
    columnNumber
    <ul>
     <li><a href="#dom-featurepolicyviolationreportbody-columnnumber">attribute for FeaturePolicyViolationReportBody</a><span>, in §8</span>
     <li><a href="#featurepolicyviolationreportbody-columnnumber">dfn for FeaturePolicyViolationReportBody</a><span>, in §8</span>
    </ul>
   <li><a href="#container-policy">container policy</a><span>, in §4.6</span>
   <li><a href="#create-for-browsingcontext">Create a Feature Policy for a browsing context</a><span>, in §9.6</span>
   <li><a href="#create-from-response">Create a Feature Policy for a browsing context from response</a><span>, in §9.7</span>
   <li><a href="#declared-policy">declared feature policy</a><span>, in §4.4</span>
   <li><a href="#declared-origin">declared origin</a><span>, in §7.2</span>
   <li><a href="#declared-policy">declared policy</a><span>, in §4.4</span>
   <li><a href="#default-allowlist">default allowlist</a><span>, in §4.9</span>
   <li><a href="#default-allowlist">default allowlists</a><span>, in §4.9</span>
   <li><a href="#default-origin">default origin</a><span>, in §7.2</span>
   <li><a href="#define-inherited-policy">Define an inherited policy for feature in browsing context</a><span>, in §9.8</span>
   <li><a href="#define-an-inherited-policy-for-feature-in-container-at-origin">Define an inherited policy for feature in container at origin</a><span>, in §9.9</span>
   <li>
    disposition
    <ul>
     <li><a href="#dom-featurepolicyviolationreportbody-disposition">attribute for FeaturePolicyViolationReportBody</a><span>, in §8</span>
     <li><a href="#featurepolicyviolationreportbody-disposition">dfn for FeaturePolicyViolationReportBody</a><span>, in §8</span>
    </ul>
   <li><a href="#empty-feature-policy">empty feature policy</a><span>, in §4.2</span>
   <li>
    featureId
    <ul>
     <li><a href="#dom-featurepolicyviolationreportbody-featureid">attribute for FeaturePolicyViolationReportBody</a><span>, in §8</span>
     <li><a href="#featurepolicyviolationreportbody-featureid">dfn for FeaturePolicyViolationReportBody</a><span>, in §8</span>
    </ul>
   <li><a href="#feature-identifier">feature-identifier</a><span>, in §5.1</span>
   <li>
    featurePolicy
    <ul>
     <li><a href="#dom-document-featurepolicy">attribute for Document</a><span>, in §7.2</span>
     <li><a href="#dom-htmliframeelement-featurepolicy">attribute for HTMLIFrameElement</a><span>, in §7.2</span>
    </ul>
   <li><a href="#feature-policy">feature policy</a><span>, in §4.2</span>
   <li><a href="#featurepolicy">FeaturePolicy</a><span>, in §7.2</span>
   <li><a href="#feature-policy-header">Feature-Policy</a><span>, in §6.1</span>
   <li><a href="#featurepolicyviolationreportbody">FeaturePolicyViolationReportBody</a><span>, in §8</span>
   <li><a href="#feature-policy-violation-reports">Feature policy violation reports</a><span>, in §8</span>
   <li><a href="#dom-featurepolicy-features">features()</a><span>, in §7.2</span>
   <li><a href="#report-feature-policy-violation">Generate report for violation of feature policy on settings</a><span>, in §9.11</span>
   <li><a href="#dom-featurepolicy-getallowlistforfeature">getAllowlistForFeature(feature)</a><span>, in §7.2</span>
   <li><a href="#header-policy">header policy</a><span>, in §4.5</span>
   <li><a href="#inherited-policy">inherited policies</a><span>, in §4.3</span>
   <li><a href="#inherited-policy">inherited policy</a><span>, in §4.3</span>
   <li><a href="#inherited-policy-for-a-feature">inherited policy for a feature</a><span>, in §4.3</span>
   <li><a href="#is-feature-enabled">Is feature enabled in document for origin?</a><span>, in §9.10</span>
   <li>
    lineNumber
    <ul>
     <li><a href="#dom-featurepolicyviolationreportbody-linenumber">attribute for FeaturePolicyViolationReportBody</a><span>, in §8</span>
     <li><a href="#featurepolicyviolationreportbody-linenumber">dfn for FeaturePolicyViolationReportBody</a><span>, in §8</span>
    </ul>
   <li><a href="#matches">matches</a><span>, in §4.8</span>
   <li><a href="#merge-directive-with-declared-policy">Merge directive with declared policy</a><span>, in §9.4</span>
   <li><a href="#observable-policy">observable policy</a><span>, in §7.2</span>
   <li><a href="#parse-header-from-value-and-origin">Parse header from value and origin</a><span>, in §9.2</span>
   <li><a href="#parse-policy-directive">Parse policy directive</a><span>, in §9.3</span>
   <li><a href="#policy-controlled-feature">policy-controlled feature</a><span>, in §4.1</span>
   <li><a href="#policy-directive">policy directive</a><span>, in §4.7</span>
   <li><a href="#policy-directive">policy directives</a><span>, in §4.7</span>
   <li>
    policy object
    <ul>
     <li><a href="#document-policy-object">dfn for Document</a><span>, in §7.2</span>
     <li><a href="#iframe-policy-object">dfn for iframe</a><span>, in §7.2</span>
    </ul>
   <li><a href="#process-feature-policy-attributes">Process feature policy attributes</a><span>, in §9.5</span>
   <li><a href="#process-response-policy">Process response policy</a><span>, in §9.1</span>
   <li><a href="#serialized-feature-policy">serialized-feature-policy</a><span>, in §5.1</span>
   <li><a href="#serialized-origin">serialized-origin</a><span>, in §5.1</span>
   <li><a href="#serialized-policy-directive">serialized-policy-directive</a><span>, in §5.1</span>
   <li><a href="#should-request-be-allowed-to-use-feature">Should request be allowed to use feature?</a><span>, in §9.12</span>
   <li>
    sourceFile
    <ul>
     <li><a href="#dom-featurepolicyviolationreportbody-sourcefile">attribute for FeaturePolicyViolationReportBody</a><span>, in §8</span>
     <li><a href="#featurepolicyviolationreportbody-sourcefile">dfn for FeaturePolicyViolationReportBody</a><span>, in §8</span>
    </ul>
   <li><a href="#supported-features">supported features</a><span>, in §4.1</span>
   <li><a href="#the-special-value">The special value *</a><span>, in §4.8</span>
   <li><a href="#violate">violate</a><span>, in §8</span>
   <li><a href="#violate">violated</a><span>, in §8</span>
   <li><a href="#violate">violation</a><span>, in §8</span>
  </ul>
  <aside class="dfn-panel" data-for="term-for-sandbox">
   <a href="https://w3c.github.io/webappsec-csp/#sandbox">https://w3c.github.io/webappsec-csp/#sandbox</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sandbox">3. Other and related mechanisms</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-document">
   <a href="https://dom.spec.whatwg.org/#document">https://dom.spec.whatwg.org/#document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document">4.3. Inherited policies</a> <a href="#ref-for-document①">(2)</a>
    <li><a href="#ref-for-document②">7.2. The featurePolicy object</a> <a href="#ref-for-document③">(2)</a> <a href="#ref-for-document④">(3)</a> <a href="#ref-for-document⑤">(4)</a> <a href="#ref-for-document⑥">(5)</a> <a href="#ref-for-document⑦">(6)</a> <a href="#ref-for-document⑧">(7)</a>
    <li><a href="#ref-for-document⑨">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-element">
   <a href="https://dom.spec.whatwg.org/#element">https://dom.spec.whatwg.org/#element</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-element">7.2. The featurePolicy object</a> <a href="#ref-for-element①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-node">
   <a href="https://dom.spec.whatwg.org/#node">https://dom.spec.whatwg.org/#node</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-node">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document">
   <a href="https://dom.spec.whatwg.org/#concept-document">https://dom.spec.whatwg.org/#concept-document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-node-document">
   <a href="https://dom.spec.whatwg.org/#concept-node-document">https://dom.spec.whatwg.org/#concept-node-document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-node-document">7.2. The featurePolicy object</a> <a href="#ref-for-concept-node-document①">(2)</a> <a href="#ref-for-concept-node-document②">(3)</a> <a href="#ref-for-concept-node-document③">(4)</a>
    <li><a href="#ref-for-concept-node-document④">9.9. Define an inherited
    policy for feature in container at
    origin</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header">
   <a href="https://fetch.spec.whatwg.org/#concept-header">https://fetch.spec.whatwg.org/#concept-header</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header">9.1. Process response
    policy</a> <a href="#ref-for-concept-header①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-response-header-list">
   <a href="https://fetch.spec.whatwg.org/#concept-response-header-list">https://fetch.spec.whatwg.org/#concept-response-header-list</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-response-header-list">9.1. Process response
    policy</a> <a href="#ref-for-concept-response-header-list①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header-name">
   <a href="https://fetch.spec.whatwg.org/#concept-header-name">https://fetch.spec.whatwg.org/#concept-header-name</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header-name">9.1. Process response
    policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-request-origin">
   <a href="https://fetch.spec.whatwg.org/#concept-request-origin">https://fetch.spec.whatwg.org/#concept-request-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-request-origin">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-request">
   <a href="https://fetch.spec.whatwg.org/#concept-request">https://fetch.spec.whatwg.org/#concept-request</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-request">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-response-response">
   <a href="https://fetch.spec.whatwg.org/#concept-response-response">https://fetch.spec.whatwg.org/#concept-response-response</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-response-response">6.1. Feature-Policy HTTP Header
    Field</a>
    <li><a href="#ref-for-concept-response-response①">9.1. Process response
    policy</a>
    <li><a href="#ref-for-concept-response-response②">9.7. Create a Feature
    Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header-value">
   <a href="https://fetch.spec.whatwg.org/#concept-header-value">https://fetch.spec.whatwg.org/#concept-header-value</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header-value">9.1. Process response
    policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-request-window">
   <a href="https://fetch.spec.whatwg.org/#concept-request-window">https://fetch.spec.whatwg.org/#concept-request-window</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-request-window">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-element-requestfullscreen">
   <a href="https://fullscreen.spec.whatwg.org/#dom-element-requestfullscreen">https://fullscreen.spec.whatwg.org/#dom-element-requestfullscreen</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-element-requestfullscreen">6.3.1. allowfullscreen</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-htmliframeelement">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-htmliframeelement">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-window">
   <a href="https://html.spec.whatwg.org/multipage/window-object.html#window">https://html.spec.whatwg.org/multipage/window-object.html#window</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-window">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-workerglobalscope">
   <a href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-workerglobalscope">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-window">
   <a href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window">https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-window">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-browsing-context">9.6. Create a
    Feature Policy for a browsing context</a>
    <li><a href="#ref-for-browsing-context①">9.7. Create a Feature
    Policy for a browsing context from response</a>
    <li><a href="#ref-for-browsing-context②">9.8. Define an inherited policy for
    feature in browsing context</a> <a href="#ref-for-browsing-context③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-browsing-context-container">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container">https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-browsing-context-container">4.6. Container policies</a>
    <li><a href="#ref-for-browsing-context-container①">9.8. Define an inherited policy for
    feature in browsing context</a> <a href="#ref-for-browsing-context-container②">(2)</a>
    <li><a href="#ref-for-browsing-context-container③">9.9. Define an inherited
    policy for feature in container at
    origin</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-child-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#child-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#child-browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-child-browsing-context">4.3. Inherited policies</a> <a href="#ref-for-child-browsing-context①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-environment-settings-object">
   <a href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-environment-settings-object">9.11. Generate report for violation of
    feature policy on settings</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-the-iframe-element">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-the-iframe-element">3. Other and related mechanisms</a>
    <li><a href="#ref-for-the-iframe-element①">6.2. The allow attribute of the
    iframe element</a> <a href="#ref-for-the-iframe-element②">(2)</a>
    <li><a href="#ref-for-the-iframe-element③">6.3.1. allowfullscreen</a>
    <li><a href="#ref-for-the-iframe-element④">6.3.2. allowpaymentrequest</a>
    <li><a href="#ref-for-the-iframe-element⑤">7.2. The featurePolicy object</a> <a href="#ref-for-the-iframe-element⑥">(2)</a> <a href="#ref-for-the-iframe-element⑦">(3)</a>
    <li><a href="#ref-for-the-iframe-element⑧">9.5. Process feature policy
    attributes</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-nested-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-nested-browsing-context">4.6. Container policies</a> <a href="#ref-for-nested-browsing-context①">(2)</a>
    <li><a href="#ref-for-nested-browsing-context②">6.2. The allow attribute of the
    iframe element</a>
    <li><a href="#ref-for-nested-browsing-context③">6.3.1. allowfullscreen</a>
    <li><a href="#ref-for-nested-browsing-context④">6.3.2. allowpaymentrequest</a>
    <li><a href="#ref-for-nested-browsing-context⑤">9.8. Define an inherited policy for
    feature in browsing context</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin">https://html.spec.whatwg.org/multipage/origin.html#concept-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin">4.8. Allowlists</a> <a href="#ref-for-concept-origin①">(2)</a>
    <li><a href="#ref-for-concept-origin②">7.2. The featurePolicy object</a> <a href="#ref-for-concept-origin③">(2)</a>
    <li><a href="#ref-for-concept-origin④">9.1. Process response
    policy</a>
    <li><a href="#ref-for-concept-origin⑤">9.2. Parse header from value and
    origin</a>
    <li><a href="#ref-for-concept-origin⑥">9.3. Parse policy directive</a> <a href="#ref-for-concept-origin⑦">(2)</a>
    <li><a href="#ref-for-concept-origin⑧">9.6. Create a
    Feature Policy for a browsing context</a>
    <li><a href="#ref-for-concept-origin⑨">9.7. Create a Feature
    Policy for a browsing context from response</a>
    <li><a href="#ref-for-concept-origin①⓪">9.8. Define an inherited policy for
    feature in browsing context</a>
    <li><a href="#ref-for-concept-origin①①">9.9. Define an inherited
    policy for feature in container at
    origin</a>
    <li><a href="#ref-for-concept-origin①②">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-same-origin">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#same-origin">https://html.spec.whatwg.org/multipage/origin.html#same-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-same-origin">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-same-origin-domain">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain">https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-same-origin-domain">4.8. Allowlists</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-sandbox">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-sandbox">3. Other and related mechanisms</a>
    <li><a href="#ref-for-attr-iframe-sandbox①">7.2. The featurePolicy object</a>
    <li><a href="#ref-for-attr-iframe-sandbox②">11. Privacy and Security</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-sandboxed-origin-browsing-context-flag">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-origin-browsing-context-flag">https://html.spec.whatwg.org/multipage/origin.html#sandboxed-origin-browsing-context-flag</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sandboxed-origin-browsing-context-flag">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ascii-serialisation-of-an-origin">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin">https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ascii-serialisation-of-an-origin">5.1. ASCII serialization</a>
    <li><a href="#ref-for-ascii-serialisation-of-an-origin①">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-src">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-src">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-src</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-src">6.2. The allow attribute of the
    iframe element</a>
    <li><a href="#ref-for-attr-iframe-src①">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-srcdoc">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-srcdoc">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-srcdoc</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-srcdoc">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-top-level-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-top-level-browsing-context">4.3. Inherited policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ascii-case-insensitive">
   <a href="https://infra.spec.whatwg.org/#ascii-case-insensitive">https://infra.spec.whatwg.org/#ascii-case-insensitive</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ascii-case-insensitive">9.3. Parse policy directive</a> <a href="#ref-for-ascii-case-insensitive①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-ordered-set">
   <a href="https://infra.spec.whatwg.org/#ordered-set">https://infra.spec.whatwg.org/#ordered-set</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ordered-set">4.8. Allowlists</a>
    <li><a href="#ref-for-ordered-set①">9.3. Parse policy directive</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-split-on-ascii-whitespace">
   <a href="https://infra.spec.whatwg.org/#split-on-ascii-whitespace">https://infra.spec.whatwg.org/#split-on-ascii-whitespace</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-split-on-ascii-whitespace">9.3. Parse policy directive</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-split-on-commas">
   <a href="https://infra.spec.whatwg.org/#split-on-commas">https://infra.spec.whatwg.org/#split-on-commas</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-split-on-commas">9.2. Parse header from value and
    origin</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-strictly-split">
   <a href="https://infra.spec.whatwg.org/#strictly-split">https://infra.spec.whatwg.org/#strictly-split</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-strictly-split">9.3. Parse policy directive</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-dom-paymentrequest">
   <a href="https://w3c.github.io/payment-request/#dom-paymentrequest">https://w3c.github.io/payment-request/#dom-paymentrequest</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-paymentrequest">6.3.2. allowpaymentrequest</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-report-type">
   <a href="https://w3c.github.io/reporting/#report-type">https://w3c.github.io/reporting/#report-type</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-type">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-visible-to-reportingobservers">
   <a href="https://w3c.github.io/reporting/#visible-to-reportingobservers">https://w3c.github.io/reporting/#visible-to-reportingobservers</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-visible-to-reportingobservers">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-reportbody">
   <a href="https://w3c.github.io/reporting/#reportbody">https://w3c.github.io/reporting/#reportbody</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-reportbody">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-report-body">
   <a href="https://w3c.github.io/reporting/#report-body">https://w3c.github.io/reporting/#report-body</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-body">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-report">
   <a href="https://w3c.github.io/reporting/#report">https://w3c.github.io/reporting/#report</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report">9.11. Generate report for violation of
    feature policy on settings</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-url-parser">
   <a href="https://url.spec.whatwg.org/#concept-url-parser">https://url.spec.whatwg.org/#concept-url-parser</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-url-parser">9.3. Parse policy directive</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-DOMString">
   <a href="https://heycam.github.io/webidl/#idl-DOMString">https://heycam.github.io/webidl/#idl-DOMString</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-DOMString">7.2. The featurePolicy object</a> <a href="#ref-for-idl-DOMString①">(2)</a> <a href="#ref-for-idl-DOMString②">(3)</a> <a href="#ref-for-idl-DOMString③">(4)</a> <a href="#ref-for-idl-DOMString④">(5)</a> <a href="#ref-for-idl-DOMString⑤">(6)</a>
    <li><a href="#ref-for-idl-DOMString⑥">8. Reporting</a> <a href="#ref-for-idl-DOMString⑦">(2)</a> <a href="#ref-for-idl-DOMString⑧">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-Exposed">
   <a href="https://heycam.github.io/webidl/#Exposed">https://heycam.github.io/webidl/#Exposed</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-Exposed">7.2. The featurePolicy object</a>
    <li><a href="#ref-for-Exposed①">8. Reporting</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-SameObject">
   <a href="https://heycam.github.io/webidl/#SameObject">https://heycam.github.io/webidl/#SameObject</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-SameObject">7.2. The featurePolicy object</a> <a href="#ref-for-SameObject①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-boolean">
   <a href="https://heycam.github.io/webidl/#idl-boolean">https://heycam.github.io/webidl/#idl-boolean</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-boolean">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-idl-long">
   <a href="https://heycam.github.io/webidl/#idl-long">https://heycam.github.io/webidl/#idl-long</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-idl-long">8. Reporting</a> <a href="#ref-for-idl-long①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-workletglobalscope">
   <a href="https://drafts.css-houdini.org/worklets/#workletglobalscope">https://drafts.css-houdini.org/worklets/#workletglobalscope</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-workletglobalscope">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[csp-3]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-sandbox" style="color:initial">sandbox</span>
    </ul>
   <li>
    <a data-link-type="biblio">[DOM]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-document" style="color:initial">Document</span>
     <li><span class="dfn-paneled" id="term-for-element" style="color:initial">Element</span>
     <li><span class="dfn-paneled" id="term-for-node" style="color:initial">Node</span>
     <li><span class="dfn-paneled" id="term-for-concept-document" style="color:initial">document</span>
     <li><span class="dfn-paneled" id="term-for-concept-node-document" style="color:initial">node document</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-concept-header" style="color:initial">header</span>
     <li><span class="dfn-paneled" id="term-for-concept-response-header-list" style="color:initial">header list</span>
     <li><span class="dfn-paneled" id="term-for-concept-header-name" style="color:initial">name</span>
     <li><span class="dfn-paneled" id="term-for-concept-request-origin" style="color:initial">origin</span>
     <li><span class="dfn-paneled" id="term-for-concept-request" style="color:initial">request</span>
     <li><span class="dfn-paneled" id="term-for-concept-response-response" style="color:initial">response</span>
     <li><span class="dfn-paneled" id="term-for-concept-header-value" style="color:initial">value</span>
     <li><span class="dfn-paneled" id="term-for-concept-request-window" style="color:initial">window</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FULLSCREEN]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-dom-element-requestfullscreen" style="color:initial">requestFullscreen()</span>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-htmliframeelement" style="color:initial">HTMLIFrameElement</span>
     <li><span class="dfn-paneled" id="term-for-window" style="color:initial">Window</span>
     <li><span class="dfn-paneled" id="term-for-workerglobalscope" style="color:initial">WorkerGlobalScope</span>
     <li><span class="dfn-paneled" id="term-for-concept-document-window" style="color:initial">associated document</span>
     <li><span class="dfn-paneled" id="term-for-browsing-context" style="color:initial">browsing context</span>
     <li><span class="dfn-paneled" id="term-for-browsing-context-container" style="color:initial">browsing context container</span>
     <li><span class="dfn-paneled" id="term-for-child-browsing-context" style="color:initial">child browsing context</span>
     <li><span class="dfn-paneled" id="term-for-environment-settings-object" style="color:initial">environment settings object</span>
     <li><span class="dfn-paneled" id="term-for-the-iframe-element" style="color:initial">iframe</span>
     <li><span class="dfn-paneled" id="term-for-nested-browsing-context" style="color:initial">nested browsing context</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin" style="color:initial">origin</span>
     <li><span class="dfn-paneled" id="term-for-same-origin" style="color:initial">same origin</span>
     <li><span class="dfn-paneled" id="term-for-same-origin-domain" style="color:initial">same origin-domain</span>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-sandbox" style="color:initial">sandbox</span>
     <li><span class="dfn-paneled" id="term-for-sandboxed-origin-browsing-context-flag" style="color:initial">sandboxed origin browsing context flag</span>
     <li><span class="dfn-paneled" id="term-for-ascii-serialisation-of-an-origin" style="color:initial">serialization of an origin</span>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-src" style="color:initial">src</span>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-srcdoc" style="color:initial">srcdoc</span>
     <li><span class="dfn-paneled" id="term-for-top-level-browsing-context" style="color:initial">top-level browsing context</span>
    </ul>
   <li>
    <a data-link-type="biblio">[INFRA]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-ascii-case-insensitive" style="color:initial">ascii case-insensitive</span>
     <li><span class="dfn-paneled" id="term-for-ordered-set" style="color:initial">ordered set</span>
     <li><span class="dfn-paneled" id="term-for-split-on-ascii-whitespace" style="color:initial">split on ascii whitespace</span>
     <li><span class="dfn-paneled" id="term-for-split-on-commas" style="color:initial">split on commas</span>
     <li><span class="dfn-paneled" id="term-for-strictly-split" style="color:initial">strictly split</span>
    </ul>
   <li>
    <a data-link-type="biblio">[payment-request]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-dom-paymentrequest" style="color:initial">paymentrequest</span>
    </ul>
   <li>
    <a data-link-type="biblio">[REPORTING]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-report-type" style="color:initial">report type</span>
     <li><span class="dfn-paneled" id="term-for-visible-to-reportingobservers" style="color:initial">visible to reportingobservers</span>
    </ul>
   <li>
    <a data-link-type="biblio">[reporting-1]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-reportbody" style="color:initial">ReportBody</span>
     <li><span class="dfn-paneled" id="term-for-report-body" style="color:initial">body</span>
     <li><span class="dfn-paneled" id="term-for-report" style="color:initial">report</span>
    </ul>
   <li>
    <a data-link-type="biblio">[URL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-concept-url-parser" style="color:initial">url parser</span>
    </ul>
   <li>
    <a data-link-type="biblio">[WebIDL]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-idl-DOMString" style="color:initial">DOMString</span>
     <li><span class="dfn-paneled" id="term-for-Exposed" style="color:initial">Exposed</span>
     <li><span class="dfn-paneled" id="term-for-SameObject" style="color:initial">SameObject</span>
     <li><span class="dfn-paneled" id="term-for-idl-boolean" style="color:initial">boolean</span>
     <li><span class="dfn-paneled" id="term-for-idl-long" style="color:initial">long</span>
    </ul>
   <li>
    <a data-link-type="biblio">[worklets-1]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-workletglobalscope" style="color:initial">WorkletGlobalScope</span>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-csp-3">[CSP-3]
   <dd>Content Security Policy Level 3 URL: <a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
   <dt id="biblio-dom">[DOM]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-fullscreen">[FULLSCREEN]
   <dd>Philip Jägenstedt. <a href="https://fullscreen.spec.whatwg.org/">Fullscreen API Standard</a>. Living Standard. URL: <a href="https://fullscreen.spec.whatwg.org/">https://fullscreen.spec.whatwg.org/</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-infra">[INFRA]
   <dd>Anne van Kesteren; Domenic Denicola. <a href="https://infra.spec.whatwg.org/">Infra Standard</a>. Living Standard. URL: <a href="https://infra.spec.whatwg.org/">https://infra.spec.whatwg.org/</a>
   <dt id="biblio-payment-request">[PAYMENT-REQUEST]
   <dd>Zach Koch; et al. <a href="https://www.w3.org/TR/payment-request/">Payment Request API</a>. 16 April 2019. CR. URL: <a href="https://www.w3.org/TR/payment-request/">https://www.w3.org/TR/payment-request/</a>
   <dt id="biblio-reporting">[REPORTING]
   <dd><a href="https://wicg.github.io/reporting/">Reporting API</a>. Living Standard. URL: <a href="https://wicg.github.io/reporting/">https://wicg.github.io/reporting/</a>
   <dt id="biblio-reporting-1">[REPORTING-1]
   <dd>Douglas Creager; et al. <a href="https://www.w3.org/TR/reporting-1/">Reporting API</a>. 25 September 2018. WD. URL: <a href="https://www.w3.org/TR/reporting-1/">https://www.w3.org/TR/reporting-1/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3864">[RFC3864]
   <dd>G. Klyne; M. Nottingham; J. Mogul. <a href="https://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>. September 2004. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc3864">https://tools.ietf.org/html/rfc3864</a>
   <dt id="biblio-url">[URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
   <dt id="biblio-webidl">[WebIDL]
   <dd>Boris Zbarsky. <a href="https://heycam.github.io/webidl/">Web IDL</a>. 15 December 2016. ED. URL: <a href="https://heycam.github.io/webidl/">https://heycam.github.io/webidl/</a>
   <dt id="biblio-worklets-1">[WORKLETS-1]
   <dd>Ian Kilpatrick. <a href="https://www.w3.org/TR/worklets-1/">Worklets Level 1</a>. 7 June 2016. WD. URL: <a href="https://www.w3.org/TR/worklets-1/">https://www.w3.org/TR/worklets-1/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-csp2">[CSP2]
   <dd>Mike West; Adam Barth; Daniel Veditz. <a href="https://www.w3.org/TR/CSP2/">Content Security Policy Level 2</a>. 15 December 2016. REC. URL: <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2/</a>
   <dt id="biblio-html5">[HTML5]
   <dd>Ian Hickson; et al. <a href="https://www.w3.org/TR/html5/">HTML5</a>. 27 March 2018. REC. URL: <a href="https://www.w3.org/TR/html5/">https://www.w3.org/TR/html5/</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl highlight def">[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed②"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a href="#featurepolicy"><code><c- g>FeaturePolicy</c-></code></a> {
  <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean" id="ref-for-idl-boolean①"><c- b>boolean</c-></a> <a href="#dom-featurepolicy-allowsfeature"><code><c- g>allowsFeature</c-></code></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑨"><c- b>DOMString</c-></a> <a href="#dom-featurepolicy-allowsfeature-feature-origin-feature"><code><c- g>feature</c-></code></a>, <c- b>optional</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①"><c- b>DOMString</c-></a> <a href="#dom-featurepolicy-allowsfeature-feature-origin-origin"><code><c- g>origin</c-></code></a>);
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②①"><c- b>DOMString</c-></a>> <a href="#dom-featurepolicy-features"><code><c- g>features</c-></code></a>();
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③①"><c- b>DOMString</c-></a>> <a href="#dom-featurepolicy-allowedfeatures"><code><c- g>allowedFeatures</c-></code></a>();
  <c- b>sequence</c->&lt;<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString④①"><c- b>DOMString</c-></a>> <a href="#dom-featurepolicy-getallowlistforfeature"><code><c- g>getAllowlistForFeature</c-></code></a>(<a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑤①"><c- b>DOMString</c-></a> <a href="#dom-featurepolicy-getallowlistforfeature-feature-feature"><code><c- g>feature</c-></code></a>);
};

<c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="https://dom.spec.whatwg.org/#document" id="ref-for-document②①"><c- g>Document</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject②"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="n" data-link-type="idl-name" href="#featurepolicy" id="ref-for-featurepolicy②①"><c- n>FeaturePolicy</c-></a> <a data-readonly data-type="FeaturePolicy" href="#dom-document-featurepolicy"><code><c- g>featurePolicy</c-></code></a>;
};

<c- b>partial</c-> <c- b>interface</c-> <a class="idl-code" data-link-type="interface" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement" id="ref-for-htmliframeelement①"><c- g>HTMLIFrameElement</c-></a> {
    [<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SameObject" id="ref-for-SameObject①①"><c- g>SameObject</c-></a>] <c- b>readonly</c-> <c- b>attribute</c-> <a class="n" data-link-type="idl-name" href="#featurepolicy" id="ref-for-featurepolicy③①"><c- n>FeaturePolicy</c-></a> <a data-readonly data-type="FeaturePolicy" href="#dom-htmliframeelement-featurepolicy"><code><c- g>featurePolicy</c-></code></a>;
};

[<a class="idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#Exposed" id="ref-for-Exposed①①"><c- g>Exposed</c-></a>=<c- n>Window</c->]
<c- b>interface</c-> <a href="#featurepolicyviolationreportbody"><code><c- g>FeaturePolicyViolationReportBody</c-></code></a> : <a class="n" data-link-type="idl-name" href="https://w3c.github.io/reporting/#reportbody" id="ref-for-reportbody①"><c- n>ReportBody</c-></a> {
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑥①"><c- b>DOMString</c-></a> <a data-readonly data-type="DOMString" href="#dom-featurepolicyviolationreportbody-featureid"><code><c- g>featureId</c-></code></a>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑦①"><c- b>DOMString</c-></a>? <a data-readonly data-type="DOMString?" href="#dom-featurepolicyviolationreportbody-sourcefile"><code><c- g>sourceFile</c-></code></a>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long②"><c- b>long</c-></a>? <a data-readonly data-type="long?" href="#dom-featurepolicyviolationreportbody-linenumber"><code><c- g>lineNumber</c-></code></a>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long①①"><c- b>long</c-></a>? <a data-readonly data-type="long?" href="#dom-featurepolicyviolationreportbody-columnnumber"><code><c- g>columnNumber</c-></code></a>;
  <c- b>readonly</c-> <c- b>attribute</c-> <a class="idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑧①"><c- b>DOMString</c-></a> <a data-readonly data-type="DOMString" href="#dom-featurepolicyviolationreportbody-disposition"><code><c- g>disposition</c-></code></a>;
};

</pre>
  <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue">This spec currently only deals with features defined in
    Documents. We should figure out how to word this to include the possibility
    of features and feature policies in Workers and Worklets as well.<a href="#issue-e7bb8656"> ↵ </a></div>
   <div class="issue">Feature Policy within non-Window contexts (<code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a></code> or <code class="idl"><a data-link-type="idl" href="https://drafts.css-houdini.org/worklets/#workletglobalscope">WorkletGlobalScope</a></code>) is being figured out in <a href="https://github.com/WICG/feature-policy/issues/207">issue #207</a>. After that’s resolved, update this algorithm to allow fetches initiated within these contexts to use policy-controlled features. <em>Until</em> that’s resolved, disallow all policy-controlled features (e.g., sending Client Hints to third parties) in these contexts.<a href="#issue-79a5ddf0"> ↵ </a></div>
  </div>
  <aside class="dfn-panel" data-for="policy-controlled-feature">
   <b><a href="#policy-controlled-feature">#policy-controlled-feature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-controlled-feature">4.1. Policy-controlled Features</a> <a href="#ref-for-policy-controlled-feature①">(2)</a> <a href="#ref-for-policy-controlled-feature②">(3)</a> <a href="#ref-for-policy-controlled-feature③">(4)</a> <a href="#ref-for-policy-controlled-feature④">(5)</a> <a href="#ref-for-policy-controlled-feature⑤">(6)</a>
    <li><a href="#ref-for-policy-controlled-feature⑥">4.3. Inherited policies</a> <a href="#ref-for-policy-controlled-feature⑦">(2)</a>
    <li><a href="#ref-for-policy-controlled-feature⑧">4.4. Declared policies</a>
    <li><a href="#ref-for-policy-controlled-feature⑨">4.7. Policy directives</a>
    <li><a href="#ref-for-policy-controlled-feature①⓪">4.9. Default Allowlists</a> <a href="#ref-for-policy-controlled-feature①①">(2)</a>
    <li><a href="#ref-for-policy-controlled-feature①②">6.2. The allow attribute of the
    iframe element</a>
    <li><a href="#ref-for-policy-controlled-feature①③">6.3. Additional attributes to support legacy
    features</a>
    <li><a href="#ref-for-policy-controlled-feature①④">8. Reporting</a>
    <li><a href="#ref-for-policy-controlled-feature①⑤">9.3. Parse policy directive</a> <a href="#ref-for-policy-controlled-feature①⑥">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="supported-features">
   <b><a href="#supported-features">#supported-features</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-supported-features">4.2. Policies</a>
    <li><a href="#ref-for-supported-features①">4.3. Inherited policies</a>
    <li><a href="#ref-for-supported-features②">7.2. The featurePolicy object</a> <a href="#ref-for-supported-features③">(2)</a> <a href="#ref-for-supported-features④">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="feature-policy">
   <b><a href="#feature-policy">#feature-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-feature-policy">4.1. Policy-controlled Features</a>
    <li><a href="#ref-for-feature-policy①">4.2. Policies</a>
    <li><a href="#ref-for-feature-policy②">4.3. Inherited policies</a>
    <li><a href="#ref-for-feature-policy③">4.5. Header policies</a>
    <li><a href="#ref-for-feature-policy④">6.1. Feature-Policy HTTP Header
    Field</a>
    <li><a href="#ref-for-feature-policy⑤">7.2. The featurePolicy object</a> <a href="#ref-for-feature-policy⑥">(2)</a>
    <li><a href="#ref-for-feature-policy⑦">9.6. Create a
    Feature Policy for a browsing context</a> <a href="#ref-for-feature-policy⑧">(2)</a>
    <li><a href="#ref-for-feature-policy⑨">9.7. Create a Feature
    Policy for a browsing context from response</a>
    <li><a href="#ref-for-feature-policy①⓪">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="inherited-policy">
   <b><a href="#inherited-policy">#inherited-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-inherited-policy">4.2. Policies</a> <a href="#ref-for-inherited-policy①">(2)</a>
    <li><a href="#ref-for-inherited-policy②">4.3. Inherited policies</a> <a href="#ref-for-inherited-policy③">(2)</a>
    <li><a href="#ref-for-inherited-policy④">4.6. Container policies</a>
    <li><a href="#ref-for-inherited-policy⑤">9.7. Create a Feature
    Policy for a browsing context from response</a>
    <li><a href="#ref-for-inherited-policy⑥">9.8. Define an inherited policy for
    feature in browsing context</a>
    <li><a href="#ref-for-inherited-policy⑦">9.9. Define an inherited
    policy for feature in container at
    origin</a>
    <li><a href="#ref-for-inherited-policy⑧">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="declared-policy">
   <b><a href="#declared-policy">#declared-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-declared-policy">4.2. Policies</a> <a href="#ref-for-declared-policy①">(2)</a>
    <li><a href="#ref-for-declared-policy②">4.3. Inherited policies</a>
    <li><a href="#ref-for-declared-policy③">4.5. Header policies</a>
    <li><a href="#ref-for-declared-policy④">9.1. Process response
    policy</a>
    <li><a href="#ref-for-declared-policy⑤">9.2. Parse header from value and
    origin</a>
    <li><a href="#ref-for-declared-policy⑥">9.7. Create a Feature
    Policy for a browsing context from response</a>
    <li><a href="#ref-for-declared-policy⑦">9.10. Is
    feature enabled in document for
    origin?</a> <a href="#ref-for-declared-policy⑧">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="header-policy">
   <b><a href="#header-policy">#header-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-header-policy">4.6. Container policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="container-policy">
   <b><a href="#container-policy">#container-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-container-policy">4.3. Inherited policies</a>
    <li><a href="#ref-for-container-policy①">4.6. Container policies</a> <a href="#ref-for-container-policy②">(2)</a> <a href="#ref-for-container-policy③">(3)</a> <a href="#ref-for-container-policy④">(4)</a>
    <li><a href="#ref-for-container-policy⑤">6.2. The allow attribute of the
    iframe element</a>
    <li><a href="#ref-for-container-policy⑥">6.3.1. allowfullscreen</a>
    <li><a href="#ref-for-container-policy⑦">6.3.2. allowpaymentrequest</a>
    <li><a href="#ref-for-container-policy⑧">9.5. Process feature policy
    attributes</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-directive">
   <b><a href="#policy-directive">#policy-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-directive">4.1. Policy-controlled Features</a>
    <li><a href="#ref-for-policy-directive①">4.5. Header policies</a>
    <li><a href="#ref-for-policy-directive②">4.6. Container policies</a>
    <li><a href="#ref-for-policy-directive③">4.7. Policy directives</a>
    <li><a href="#ref-for-policy-directive④">5.1. ASCII serialization</a>
    <li><a href="#ref-for-policy-directive⑤">6.1. Feature-Policy HTTP Header
    Field</a>
    <li><a href="#ref-for-policy-directive⑥">9.3. Parse policy directive</a>
    <li><a href="#ref-for-policy-directive⑦">9.5. Process feature policy
    attributes</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="allowlist">
   <b><a href="#allowlist">#allowlist</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-allowlist">2. Examples</a>
    <li><a href="#ref-for-allowlist①">4.4. Declared policies</a>
    <li><a href="#ref-for-allowlist②">4.7. Policy directives</a>
    <li><a href="#ref-for-allowlist③">4.8. Allowlists</a> <a href="#ref-for-allowlist④">(2)</a> <a href="#ref-for-allowlist⑤">(3)</a> <a href="#ref-for-allowlist⑥">(4)</a>
    <li><a href="#ref-for-allowlist⑦">6.2. The allow attribute of the
    iframe element</a>
    <li><a href="#ref-for-allowlist⑧">6.3.1. allowfullscreen</a>
    <li><a href="#ref-for-allowlist⑨">6.3.2. allowpaymentrequest</a>
    <li><a href="#ref-for-allowlist①⓪">9.3. Parse policy directive</a>
    <li><a href="#ref-for-allowlist①①">9.9. Define an inherited
    policy for feature in container at
    origin</a>
    <li><a href="#ref-for-allowlist①②">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="the-special-value">
   <b><a href="#the-special-value">#the-special-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-the-special-value">4.8. Allowlists</a>
    <li><a href="#ref-for-the-special-value①">9.3. Parse policy directive</a>
    <li><a href="#ref-for-the-special-value②">9.5. Process feature policy
    attributes</a> <a href="#ref-for-the-special-value③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="matches">
   <b><a href="#matches">#matches</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-matches">9.9. Define an inherited
    policy for feature in container at
    origin</a>
    <li><a href="#ref-for-matches①">9.10. Is
    feature enabled in document for
    origin?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="default-allowlist">
   <b><a href="#default-allowlist">#default-allowlist</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-allowlist">4.1. Policy-controlled Features</a>
    <li><a href="#ref-for-default-allowlist①">4.9. Default Allowlists</a> <a href="#ref-for-default-allowlist②">(2)</a>
    <li><a href="#ref-for-default-allowlist③">9.10. Is
    feature enabled in document for
    origin?</a> <a href="#ref-for-default-allowlist④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-feature-policy">
   <b><a href="#serialized-feature-policy">#serialized-feature-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-feature-policy">6.1. Feature-Policy HTTP Header
    Field</a> <a href="#ref-for-serialized-feature-policy①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-policy-directive">
   <b><a href="#serialized-policy-directive">#serialized-policy-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-policy-directive">5.1. ASCII serialization</a> <a href="#ref-for-serialized-policy-directive①">(2)</a>
    <li><a href="#ref-for-serialized-policy-directive">6.2. The allow attribute of the
    iframe element</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="feature-identifier">
   <b><a href="#feature-identifier">#feature-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-feature-identifier">5.1. ASCII serialization</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="allow-list">
   <b><a href="#allow-list">#allow-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-allow-list">5.1. ASCII serialization</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="allow-list-value">
   <b><a href="#allow-list-value">#allow-list-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-allow-list-value">5.1. ASCII serialization</a> <a href="#ref-for-allow-list-value①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-origin">
   <b><a href="#serialized-origin">#serialized-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-origin">5.1. ASCII serialization</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="feature-policy-header">
   <b><a href="#feature-policy-header">#feature-policy-header</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-feature-policy-header">2. Examples</a> <a href="#ref-for-feature-policy-header①">(2)</a> <a href="#ref-for-feature-policy-header②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicy">
   <b><a href="#featurepolicy">#featurepolicy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicy">7.1. Overview</a>
    <li><a href="#ref-for-featurepolicy①">7.1.1. Document policies</a>
    <li><a href="#ref-for-featurepolicy②">7.2. The featurePolicy object</a> <a href="#ref-for-featurepolicy③">(2)</a> <a href="#ref-for-featurepolicy④">(3)</a> <a href="#ref-for-featurepolicy⑤">(4)</a> <a href="#ref-for-featurepolicy⑥">(5)</a> <a href="#ref-for-featurepolicy⑦">(6)</a> <a href="#ref-for-featurepolicy⑧">(7)</a> <a href="#ref-for-featurepolicy⑨">(8)</a> <a href="#ref-for-featurepolicy①⓪">(9)</a> <a href="#ref-for-featurepolicy①①">(10)</a> <a href="#ref-for-featurepolicy①②">(11)</a> <a href="#ref-for-featurepolicy①③">(12)</a> <a href="#ref-for-featurepolicy①④">(13)</a> <a href="#ref-for-featurepolicy①⑤">(14)</a> <a href="#ref-for-featurepolicy①⑥">(15)</a> <a href="#ref-for-featurepolicy①⑦">(16)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-featurepolicy-allowsfeature">
   <b><a href="#dom-featurepolicy-allowsfeature">#dom-featurepolicy-allowsfeature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-featurepolicy-allowsfeature">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-featurepolicy-features">
   <b><a href="#dom-featurepolicy-features">#dom-featurepolicy-features</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-featurepolicy-features">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-featurepolicy-allowedfeatures">
   <b><a href="#dom-featurepolicy-allowedfeatures">#dom-featurepolicy-allowedfeatures</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-featurepolicy-allowedfeatures">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-featurepolicy-getallowlistforfeature">
   <b><a href="#dom-featurepolicy-getallowlistforfeature">#dom-featurepolicy-getallowlistforfeature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-featurepolicy-getallowlistforfeature">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-document-featurepolicy">
   <b><a href="#dom-document-featurepolicy">#dom-document-featurepolicy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-document-featurepolicy">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-htmliframeelement-featurepolicy">
   <b><a href="#dom-htmliframeelement-featurepolicy">#dom-htmliframeelement-featurepolicy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-htmliframeelement-featurepolicy">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="associated-node">
   <b><a href="#associated-node">#associated-node</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-associated-node">7.2. The featurePolicy object</a> <a href="#ref-for-associated-node①">(2)</a> <a href="#ref-for-associated-node②">(3)</a> <a href="#ref-for-associated-node③">(4)</a> <a href="#ref-for-associated-node④">(5)</a> <a href="#ref-for-associated-node⑤">(6)</a> <a href="#ref-for-associated-node⑥">(7)</a> <a href="#ref-for-associated-node⑦">(8)</a> <a href="#ref-for-associated-node⑧">(9)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="default-origin">
   <b><a href="#default-origin">#default-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-origin">7.2. The featurePolicy object</a> <a href="#ref-for-default-origin①">(2)</a> <a href="#ref-for-default-origin②">(3)</a> <a href="#ref-for-default-origin③">(4)</a> <a href="#ref-for-default-origin④">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="document-policy-object">
   <b><a href="#document-policy-object">#document-policy-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document-policy-object">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="iframe-policy-object">
   <b><a href="#iframe-policy-object">#iframe-policy-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-iframe-policy-object">7.2. The featurePolicy object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="observable-policy">
   <b><a href="#observable-policy">#observable-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-observable-policy">7.1.2. Frame policies</a> <a href="#ref-for-observable-policy①">(2)</a>
    <li><a href="#ref-for-observable-policy②">7.2. The featurePolicy object</a> <a href="#ref-for-observable-policy③">(2)</a> <a href="#ref-for-observable-policy④">(3)</a> <a href="#ref-for-observable-policy⑤">(4)</a> <a href="#ref-for-observable-policy⑥">(5)</a>
    <li><a href="#ref-for-observable-policy⑦">11.1. Exposure of cross-origin behavior</a> <a href="#ref-for-observable-policy⑧">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="declared-origin">
   <b><a href="#declared-origin">#declared-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-declared-origin">7.2. The featurePolicy object</a> <a href="#ref-for-declared-origin①">(2)</a> <a href="#ref-for-declared-origin②">(3)</a>
    <li><a href="#ref-for-declared-origin③">9.5. Process feature policy
    attributes</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="feature-policy-violation-reports">
   <b><a href="#feature-policy-violation-reports">#feature-policy-violation-reports</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-feature-policy-violation-reports">8. Reporting</a> <a href="#ref-for-feature-policy-violation-reports①">(2)</a> <a href="#ref-for-feature-policy-violation-reports②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violate">
   <b><a href="#violate">#violate</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violate">8. Reporting</a> <a href="#ref-for-violate①">(2)</a> <a href="#ref-for-violate②">(3)</a> <a href="#ref-for-violate③">(4)</a> <a href="#ref-for-violate④">(5)</a> <a href="#ref-for-violate⑤">(6)</a> <a href="#ref-for-violate⑥">(7)</a>
    <li><a href="#ref-for-violate⑦">9.11. Generate report for violation of
    feature policy on settings</a> <a href="#ref-for-violate⑧">(2)</a>
    <li><a href="#ref-for-violate⑨">11.1. Exposure of cross-origin behavior</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody">
   <b><a href="#featurepolicyviolationreportbody">#featurepolicyviolationreportbody</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody">8. Reporting</a>
    <li><a href="#ref-for-featurepolicyviolationreportbody①">9.11. Generate report for violation of
    feature policy on settings</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody-featureid">
   <b><a href="#featurepolicyviolationreportbody-featureid">#featurepolicyviolationreportbody-featureid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody-featureid">9.11. Generate report for violation of
    feature policy on settings</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody-sourcefile">
   <b><a href="#featurepolicyviolationreportbody-sourcefile">#featurepolicyviolationreportbody-sourcefile</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody-sourcefile">8. Reporting</a> <a href="#ref-for-featurepolicyviolationreportbody-sourcefile①">(2)</a>
    <li><a href="#ref-for-featurepolicyviolationreportbody-sourcefile②">9.11. Generate report for violation of
    feature policy on settings</a> <a href="#ref-for-featurepolicyviolationreportbody-sourcefile③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody-linenumber">
   <b><a href="#featurepolicyviolationreportbody-linenumber">#featurepolicyviolationreportbody-linenumber</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody-linenumber">9.11. Generate report for violation of
    feature policy on settings</a> <a href="#ref-for-featurepolicyviolationreportbody-linenumber①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody-columnnumber">
   <b><a href="#featurepolicyviolationreportbody-columnnumber">#featurepolicyviolationreportbody-columnnumber</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody-columnnumber">9.11. Generate report for violation of
    feature policy on settings</a> <a href="#ref-for-featurepolicyviolationreportbody-columnnumber①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="featurepolicyviolationreportbody-disposition">
   <b><a href="#featurepolicyviolationreportbody-disposition">#featurepolicyviolationreportbody-disposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-featurepolicyviolationreportbody-disposition">8. Reporting</a> <a href="#ref-for-featurepolicyviolationreportbody-disposition①">(2)</a>
    <li><a href="#ref-for-featurepolicyviolationreportbody-disposition②">9.11. Generate report for violation of
    feature policy on settings</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="process-response-policy">
   <b><a href="#process-response-policy">#process-response-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-process-response-policy">9.7. Create a Feature
    Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="parse-header-from-value-and-origin">
   <b><a href="#parse-header-from-value-and-origin">#parse-header-from-value-and-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-parse-header-from-value-and-origin">9.1. Process response
    policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="parse-policy-directive">
   <b><a href="#parse-policy-directive">#parse-policy-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-parse-policy-directive">9.5. Process feature policy
    attributes</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="merge-directive-with-declared-policy">
   <b><a href="#merge-directive-with-declared-policy">#merge-directive-with-declared-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-merge-directive-with-declared-policy">9.2. Parse header from value and
    origin</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="process-feature-policy-attributes">
   <b><a href="#process-feature-policy-attributes">#process-feature-policy-attributes</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-process-feature-policy-attributes">9.9. Define an inherited
    policy for feature in container at
    origin</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="create-for-browsingcontext">
   <b><a href="#create-for-browsingcontext">#create-for-browsingcontext</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-for-browsingcontext">9.7. Create a Feature
    Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="define-inherited-policy">
   <b><a href="#define-inherited-policy">#define-inherited-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-define-inherited-policy">9.6. Create a
    Feature Policy for a browsing context</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="define-an-inherited-policy-for-feature-in-container-at-origin">
   <b><a href="#define-an-inherited-policy-for-feature-in-container-at-origin">#define-an-inherited-policy-for-feature-in-container-at-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-define-an-inherited-policy-for-feature-in-container-at-origin">7.2. The featurePolicy object</a>
    <li><a href="#ref-for-define-an-inherited-policy-for-feature-in-container-at-origin①">9.8. Define an inherited policy for
    feature in browsing context</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="is-feature-enabled">
   <b><a href="#is-feature-enabled">#is-feature-enabled</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-is-feature-enabled">9.9. Define an inherited
    policy for feature in container at
    origin</a> <a href="#ref-for-is-feature-enabled">(2)</a>
    <li><a href="#ref-for-is-feature-enabled">9.12. Should
    request be allowed to use feature?</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

document.body.addEventListener("click", function(e) {
    var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
    // Find the dfn element or panel, if any, that was clicked on.
    var el = e.target;
    var target;
    var hitALink = false;
    while(el.parentElement) {
        if(el.tagName == "A") {
            // Clicking on a link in a <dfn> shouldn't summon the panel
            hitALink = true;
        }
        if(el.classList.contains("dfn-paneled")) {
            target = "dfn";
            break;
        }
        if(el.classList.contains("dfn-panel")) {
            target = "dfn-panel";
            break;
        }
        el = el.parentElement;
    }
    if(target != "dfn-panel") {
        // Turn off any currently "on" or "activated" panels.
        queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
            el.classList.remove("on");
            el.classList.remove("activated");
        });
    }
    if(target == "dfn" && !hitALink) {
        // open the panel
        var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
        if(dfnPanel) {
            dfnPanel.classList.add("on");
            var rect = el.getBoundingClientRect();
            dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
            dfnPanel.style.top = window.scrollY + rect.top + "px";
            var panelRect = dfnPanel.getBoundingClientRect();
            var panelWidth = panelRect.right - panelRect.left;
            if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                // Reposition, because the panel is overflowing
                dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
            }
        } else {
            console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
        }
    } else if(target == "dfn-panel") {
        // Switch it to "activated" state, which pins it.
        el.classList.add("activated");
        el.style.left = null;
        el.style.top = null;
    }

});
</script>